Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 03b2e4df by Carlos Henrique Lima Melara at 2025-09-25T23:04:24-03:00 bookworm/bullseye triage of CVE-2025-8671/varnish CVE-2025-8671's fix rely on CVE-2023-44487's fix which was triaged as "Minor issue, too intrusive to backport" in bookworm and bullseye. Therefore, we follow the same approach for CVE-2025-8671. On the 6.0 LTS branch, CVE-2025-8671's fix is [1], which relies on h2_rapid_reset that was introduced in [2] to fix CVE-2023-44487. As pointed out in #1056156, we are not following the 6.0 LTS branch and there are a lot of commits between 6.0 LTS and 6.5.1 in bullseye, but it serves as pointers. [1] https://github.com/varnishcache/varnish-cache/commit/7c3fac93c39260873b87f69b6178e73abb42be6b (varnish-6.0.15) [2] https://github.com/varnishcache/varnish-cache/commit/e555093912df07fd06ba8fb164517eb92267db3a (varnish-6.0.12) - - - - - 0838def6 by Carlos Henrique Lima Melara at 2025-09-25T23:07:51-03:00 Record regression and fix for CVE-2025-8671/varnish for 7.7 - - - - - 65dc18f7 by Salvatore Bonaccorso at 2025-09-26T05:59:20+02:00 Merge branch 'update-cve-2025-8671-varnish' into 'master' CVE-2025-8671/varnish: bookworm/bullseye triage and add regression info See merge request security-tracker-team/security-tracker!247 - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -15796,6 +15796,8 @@ CVE-2025-8671 (A mismatch caused by client-triggered server-sent stream resets b [bullseye] - h2o <postponed> (Minor issue) - haproxy <not-affected> (Performs stream management correctly) - varnish 7.7.2-1 + [bookworm] - varnish <ignored> (Minor issue, too intrusive to backport) + [bullseye] - varnish <ignored> (Minor issue, too intrusive to backport) NOTE: https://kb.cert.org/vuls/id/767506 NOTE: https://galbarnahum.com/made-you-reset NOTE: h2o: https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq @@ -15806,6 +15808,8 @@ CVE-2025-8671 (A mismatch caused by client-triggered server-sent stream resets b NOTE: varnish: https://github.com/varnishcache/varnish-cache/commit/1aa6e49201acc64ec40b55a5482d1b26e939ff1c (varnish-7.7.2) NOTE: varnish: https://github.com/varnishcache/varnish-cache/commit/f960bccb5c3558ad9c49d7d01ac689c1c614f741 (varnish-7.7.2) NOTE: varnish: https://github.com/varnishcache/varnish-cache/commit/7710a5da9958d1b63720e4f6565dd1d87619d4c6 (varnish-7.7.2) + NOTE: varnish: Regression: https://github.com/varnishcache/varnish-cache/issues/4380 + NOTE: varnish: Regression fix: https://github.com/varnishcache/varnish-cache/commit/cfee49ee9054a238bda686666ac6e471fbbfca10 (varnish-7.7.3) NOTE: Unaffected implementations not requiring code changes: NOTE: - lighttpd: Cf. https://bugs.debian.org/1111140#10 . Adds detection f HTTP/2 MadeYouReset so that log NOTE: watchers can be configured to block offending IPs. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59c1ae10b8dc733c11f45b103e45c758150f9bce...65dc18f7d38f222cc4840e2ea4005c0308cf1bec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59c1ae10b8dc733c11f45b103e45c758150f9bce...65dc18f7d38f222cc4840e2ea4005c0308cf1bec You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
