Hi,
AFAICT the vulnerability is introduced in:
https://github.com/varnishcache/varnish-cache/commit/62932b422f311ed1224f14a216169bcdc1b77a2d
(removed "req->err_reason = NULL;")
The reproducer below doesn't leak with the prior commit, and leaks with
that commit as well as stretch/5.0.0.
Hi,
Upstream just pushed a test case:
https://github.com/varnishcache/varnish-cache/commit/0c9c38513bdb7730ac886eba7563f2d87894d734
I tested 6.1.1 (buster), with a minor adjustment due to 'param.reset'
not being available yet:
-varnish v1 -cliok "param.reset max_restarts"
+varnish v1 -cliok
Hi Sylvain,
On Tue, Apr 21, 2020 at 07:23:40PM +0200, Sylvain Beucler wrote:
> I didn't check whether the "undetermined" state would work for a lower
> suite, thanks. I'll mark it as "postponed" or "ignored" instead -- but
> hopefully I'll get some info :)
Ack (regarding postponed or ignored),
I didn't check whether the "undetermined" state would work for a lower
suite, thanks. I'll mark it as "postponed" or "ignored" instead -- but
hopefully I'll get some info :)
Hi,
On Tue, Apr 21, 2020 at 05:22:15PM +0200, Sylvain Beucler wrote:
> I contacted upstream a few days ago:
> https://varnish-cache.org/lists/pipermail/varnish-misc/2020-April/026854.html
> No answer yet.
>
> I'll probably ping the security contact (individual maintainers) in a
> bit and search
I contacted upstream a few days ago:
https://varnish-cache.org/lists/pipermail/varnish-misc/2020-April/026854.html
No answer yet.
I'll probably ping the security contact (individual maintainers) in a
bit and search some more on my own.
Failing that I'll mark the issue undetermined for 4.x.
Sylvain Beucler writes:
> As part of Debian LTS, I'm checking what versions are affected (esp.
> 4.x) and how to fix them (as cache_req_fsm.c in 4.x and 5.x is too
> different to apply the patch).
>
> Did anybody from Debian contact upstream for a PoC or an alternate
> patch yet? Otherwise I'll
Hi,
As part of Debian LTS, I'm checking what versions are affected (esp.
4.x) and how to fix them (as cache_req_fsm.c in 4.x and 5.x is too
different to apply the patch).
Did anybody from Debian contact upstream for a PoC or an alternate patch
yet?
Otherwise I'll do it.
Right now I tried to
Source: varnish
Version: 6.2.1-3
Severity: important
Tags: security upstream
Control: found -1 6.1.1-1+deb10u1
Control: found -1 6.1.1-1
Control: found -1 5.0.0-7+deb9u2
Control: found -1 5.0.0-7
Hi,
The following vulnerability was published for varnish.
CVE-2019-20637[0]:
| An issue was
9 matches
Mail list logo