This bug was fixed in the package varnish - 3.0.5-2ubuntu0.1
---
varnish (3.0.5-2ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: HTTP Smuggling issues: Double Content Length and bad EOL
(LP: #1709153).
- fix-HTTP-Smuggling-CVE-2015-8852.patch
-
** Changed in: varnish (Ubuntu Trusty)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709153
Title:
[CVE] HTTP Smuggling issues: Double Content Length
Packages are building in the security-proposed ppa https://launchpad.net
/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages -- please test.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Here's a debdiff adding a patch for CVE-2017-12425 for Trusty applicable
to 3.0.5-2.
** Patch added: "2-3.0.5-2ubuntu0.1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+attachment/4928851/+files/2-3.0.5-2ubuntu0.1.debdiff
--
You received this bug notification
Note that trusty's varnish is also vulnerable to CVE-2017-12425. Could
you work that into the patch too? (Note fetch_number() from
trusty/varnish-3.0.5/bin/varnishd/cache_fetch.c )
Thanks
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12425
--
You received this bug
