varnish: jessie not-affected

Sylvain Beucler Fri, 15 May 2020 02:36:24 -0700


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
58040b35 by Sylvain Beucler at 2020-05-15T11:34:03+02:00
CVE-2019-20637/varnish: jessie not-affected

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3855,9 +3855,11 @@ CVE-2020-11647 (In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 
3.0.9, and 2.6.0 to 2.6.15
        NOTE: https://www.wireshark.org/security/wnpa-sec-2020-07.html
 CVE-2019-20637 (An issue was discovered in Varnish Cache before 6.0.5 LTS, 
6.1.x and 6 ...)
        - varnish 6.4.0-1 (bug #956305)
+       [jessie] - varnish <not-affected> (Vulnerability introduced later, PoC 
not leaking)
        NOTE: http://varnish-cache.org/security/VSV00004.html#vsv00004
        NOTE: 
https://github.com/varnishcache/varnish-cache/commit/bd7b3d6d47ccbb5e1747126f8e2a297f38e56b8c
 (6.x fix)
        NOTE: 
https://github.com/varnishcache/varnish-cache/commit/0c9c38513bdb7730ac886eba7563f2d87894d734
 (test case / reproducer)
+       NOTE: Introduced in 
https://github.com/varnishcache/varnish-cache/commit/62932b422f311ed1224f14a216169bcdc1b77a2d
 (5.0)
        NOTE: Case #3 implies labels introduced in 
https://github.com/varnishcache/varnish-cache/commit/34350d5e183ef4e04285729d1f63b784d1bc6454
 (5.0)
 CVE-2020-11646
        RESERVED


=====================================
data/dla-needed.txt
=====================================
@@ -115,15 +115,6 @@ tomcat8
 tzdata
   NOTE: 20200514: LTS update must wait on oldstable update first to prevent 
newer version in LTS (roberto)
 --
-varnish (Sylvain Beucler)
-  NOTE: 20200410: There was a reworking of the functions in cache_req_fsm.c
-  NOTE: 20200410: compared to HEAD, but a glance suggests that the underlying
-  NOTE: 20200410: reset of err_code and err_reason still might need doing, but
-  NOTE: 20200410: I don't quite understand the restart/synthetic requests. 
(lamby)
-  NOTE: 20200424: Getting diagnostic info from upstream, cf. #956305 (Beuc)
-  NOTE: 20200506: Not enough info so far, ping'd varnish-misc ML (Beuc)
-  NOTE: 20200512: Not enough info so far, ping'd security contacts (Beuc)
---
 xcftools (Anton Gladky)
   NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for 
upstream review (hle)
   NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting 
original patch



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58040b35d3db55baa077ffe425a0b7d8d989980b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58040b35d3db55baa077ffe425a0b7d8d989980b
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2019-20637/varnish: jessie not-affected

Reply via email to