Your message dated Wed, 03 Jun 2026 19:04:18 +0000
with message-id <[email protected]>
and subject line Bug#1138778: fixed in varnish 7.7.3-3
has caused the Debian Bug report #1138778,
regarding varnish: CVE-2026-50052 / VSV00019
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138778: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138778
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: varnish
Version: 7.7.0-3
Severity: serious
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: fixed -1 7.7.0-3+deb13u1
Hi,
The following vulnerability was published for varnish.
I'm making this as RC level in particular because we fixed this in DSA
6303-1 and have otherwise a regression from trixie -> forky.
CVE-2026-50052[0]:
| In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a
| deficiency in HTTP/2 request parsing can be exploited to launch a
| backend request desync attack (request smuggling), which in turn can
| be used for cache poisoning, authentication bypass, or possibly even
| information disclosure and manipulation. The attack vector only
| exists if HTTP/2 support is enabled by setting the feature parameter
| to contain +http2. HTTP/2 support is disabled by default.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-50052
https://www.cve.org/CVERecord?id=CVE-2026-50052
[1] https://vinyl-cache.org/security/VSV00019.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: varnish
Source-Version: 7.7.3-3
Done: Marco d'Itri <[email protected]>
We believe that the bug you reported is fixed in the latest version of
varnish, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco d'Itri <[email protected]> (supplier of updated varnish package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 03 Jun 2026 18:31:54 +0200
Source: varnish
Architecture: source
Version: 7.7.3-3
Distribution: unstable
Urgency: medium
Maintainer: Varnish Package Maintainers <[email protected]>
Changed-By: Marco d'Itri <[email protected]>
Closes: 1138778
Changes:
varnish (7.7.3-3) unstable; urgency=medium
.
* Fix the VSV00019 (CVE-2025-8671) request smuggling vulnerability.
(Closes: #1138778)
Checksums-Sha1:
6161cb4536882cf27472e1a39666f3516c27ae4b 2705 varnish_7.7.3-3.dsc
e20e1a618f7fa3a4f1b00fb9ab0d44d737202061 28360 varnish_7.7.3-3.debian.tar.xz
bca55787f683bdb85b7945d13fec1439a0c8af68 3435484 varnish_7.7.3-3.git.tar.xz
9512597897158f4da66a3feebbd454374dff0234 17485 varnish_7.7.3-3_source.buildinfo
Checksums-Sha256:
0cb4235d7b96dfaf74c6cc1600f94fbe87a1444d39ca19431a6c35214d48d013 2705
varnish_7.7.3-3.dsc
d605ddd61f3c4d4f0268eacf8519b4996289fe8359bbf2992d63d438627be089 28360
varnish_7.7.3-3.debian.tar.xz
b61d0044ab44fafb7de86dc12a3daff98f79f6bff4daec19653070cc17e5f90e 3435484
varnish_7.7.3-3.git.tar.xz
8824893343759e950e4cfa0a434c93c4a3ce7d0dd096e1e89e71bae2b25ef79e 17485
varnish_7.7.3-3_source.buildinfo
Files:
11999dc17cde09731a45510b620c4dcb 2705 web optional varnish_7.7.3-3.dsc
b61500f6e08ba7ea7a6b8142ba033f71 28360 web optional
varnish_7.7.3-3.debian.tar.xz
52471773f3b54c16bb7f6b5c78f5325a 3435484 web optional
varnish_7.7.3-3.git.tar.xz
2d4ab8d9c890d7dd9a67baa59a3b90eb 17485 web optional
varnish_7.7.3-3_source.buildinfo
Git-Tag-Info: tag=ba2d53077df0b20b7c66827e970be919a5277612
fp=272945cd836d38dfb7427e86cb3ec33ae1ded781
Git-Tag-Tagger: Marco d'Itri <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmogdxEACgkQYG0ITkaD
wHlefA//eJNI2VnMQEUtnq0M+RbvLoqIag30kYuPhI4Pz3gJIEXEm5/IijZyIL/m
ZXKmwlUnbGkr4i180X+cqXn2uHG4YvgZsC8pwwMzW5gJaW1ZxSllqquTxsPjFSfz
0OPayhfXxro0HGPKeDeWTgxkzlpgJtVAv2H6ixBw9osbq60RL5rzz/R1jz8Le4Zp
NWQv1IcOhpqvcXvS199IYxtZdcRG4nBu6ylnlzQAxxv8R8xBQ8noAhsrNOiMUHXu
6UWRdoPPV89OOBJYewErm4y8lDB+/RNF193K9+8sbVpq+iOFkdpg0zylREmP5Z0w
WiVjAA7+ZR2xVvtyUbozxZJ7fIrvAxG9kPR3eRq99xCPsCVMlMbeckpQRXpJ8xC1
t4XQ6/2hbdWJDsu5ZlprmfXYq5pUOYY7Iu64JL//E66zYkECHHUp09Ak1A5jMAON
MNn6adXKCpE6JKoriSfLKy+AwTm73W7cUDS+kUZc1/4/XgIcPsWDMTMNqHk1BhJP
Sn8QMmZo2gxMGD6hpOF4z0Xgse2MZRfbyhZke9DIJNMXiURc/KATpWeQDeJ9l+E5
M7m2oZy0bh3Vxr38i+sZjgLyREd5ZYpnJi8/zfW5RrdZcfQaNoZHylFEqYaHe8Ql
MGXUeNtVHEifpVptiN2TzcUqvKqobgcR6scUUH8ZlwyPFq7axQk=
=wWDA
-----END PGP SIGNATURE-----
pgpiZ_V1o_WCz.pgp
Description: PGP signature
--- End Message ---
