On Wed, Apr 15, 2015, at 03:23, Andrzej Godziuk wrote: > Hello, > > Regarding the Varnish 3 EOL announcement [1], I understand that Varnish > Software will not release security patches to Varnish 3 any more. Is > that correct? > > Do you plan on cooperating with LTS Linux distributions who shipped > Varnish 3? For example, Ubuntu 12.04 is supported until April 2017 and > I wonder how urgent the upgrade to Varnish 4 is on systems running this > OS. > > [1] > https://www.varnish-cache.org/lists/pipermail/varnish-announce/2015-April/000702.html > >
I'm not aware of any LTS Linux distro that has upstream "cooperate" with them when issues arise in versions they dropped support for. It's up to the package maintainers to be competent enough to backport the security fixes themselves. Sadly, there is a disconnection in the way open source software is developed and the way Linux distros deliver it to end users. Mistakes are made all too regularly and you end up with situations like this: "The fix that was included in Debian for CVE-2012-1836 is incomplete, and does not solve the original remote code execution problem." So if you're worried about vulnerabilities in Varnish 3.x on LTS Linux distros I would advise you to not use their Varnish 3.x packages and to build Varnish yourself or find a trustworthy 3rd-party package repository that supplies packages for your favorite LTS Linux distro. The only other solution I can think of is to use a rolling-release Linus distro or one of the BSDs which use a rolling-release model for their non-base system software (ports/packages). _______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
