On Thu, Apr 04, 2024 at 05:54:51AM +0200, Salvatore Bonaccorso wrote: > Hi Marco, > > [CC'ing security team] > > On Mon, Apr 01, 2024 at 04:25:05PM +0200, Marco d'Itri wrote: > > Control: found -1 5.0.0-1 > > Control: fixed -1 7.4.2 > > > > On Nov 17, Salvatore Bonaccorso <[email protected]> wrote: > > > > > CVE-2023-44487[0]: > > > | The HTTP/2 protocol allows a denial of service (server resource > > > | consumption) because request cancellation can reset many streams > > > | quickly, as exploited in the wild in August through October 2023. > > Fixing this issue would require backporting a significant amount of > > new features in varnish and I do not believe that it would be practical. > > > > I am inclined to downgrade this bug because: > > - this is just a DoS attack > > - it only concerns people using hitch for TLS termination instead of > > a full web server like nginx or haproxy > > > > nginx in stable is also vulnerable, BTW. > > While I do agree (and it was filled with this severity), the bug > severity would not be RC, varnish currently seem to lack active > maintainership.
Ok, fair enough. We'll mark CVE-2023-44487 (and also https://varnish-cache.org/security/VSV00014.html) as no-dsa for bookworm/bullseye. > As such an RC bug keeps it out of testing until someone steps up for a > commitment maintaining varnish. The reason here isn't really a commitment, but a lack of a suitable LTS branch for stable/oldstable. We wouldn't be in this position if Debian were following the official 6.0 LTS branch. That ship has now sailed but when upstream announces a new 7.x LTS at some point we need to use that for stable/oldstable, the current model isn't working. Cheers, Moritz
