Source: varnish Version: 7.7.0-3 Severity: serious Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: fixed -1 7.7.0-3+deb13u1
Hi, The following vulnerability was published for varnish. I'm making this as RC level in particular because we fixed this in DSA 6303-1 and have otherwise a regression from trixie -> forky. CVE-2026-50052[0]: | In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a | deficiency in HTTP/2 request parsing can be exploited to launch a | backend request desync attack (request smuggling), which in turn can | be used for cache poisoning, authentication bypass, or possibly even | information disclosure and manipulation. The attack vector only | exists if HTTP/2 support is enabled by setting the feature parameter | to contain +http2. HTTP/2 support is disabled by default. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-50052 https://www.cve.org/CVERecord?id=CVE-2026-50052 [1] https://vinyl-cache.org/security/VSV00019.html Regards, Salvatore
