Hi Marco, On Sun, Mar 29, 2026 at 05:37:45PM +0200, Marco d'Itri wrote: > On Mar 29, Salvatore Bonaccorso <[email protected]> wrote: > > > Marco, can you identify the fixing commit for this issue? > There is no patch available for varnish 7.x, and backporting it appears too > much complex to me. Since the vulnerability has a very narrow scope and it > can be mitigated with very simple VCL, I do not think that it is worth doing > a stable update just for this. > > This will be fixed by the next unstable upload, which is currently on hold > waiting for some upstream changes.
Thanks for your quick reply. Ok that sounds good, I will mark the CVE for trixie and bookworm accordingly as no-dsa and then mark it as fixed in unstable once it enters with the next unstable upload including the fix. Regards, Salvatore
