Bonjour Sylvain, On Sat, Apr 18, 2020 at 7:18 PM Sylvain Beucler <[email protected]> wrote: > > Hi, > > I'm part of the Debian LTS (Long Term Support) team, I'm checking what > Debian varnish packages are affected by CVE-2019-20637, and how to fix them. > > In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too > different to apply the git patch with good confidence. > > I appreciate that these versions are not officially supported anymore by > the Varnish project. Since it is common in GNU/Linux distros to provide > security fixes to users of packaged releases when feasible, I'm > classifying this vulnerability and looking for a fix.
EOL series are definitely not a priority and I have other things to look at before I can dive into this. So I will eventually revisit this thread, or maybe someone will beat me to it if you're lucky. > Is there a patch for older Varnish releases, or failing that, a > proof-of-concept that would help me trigger and fix the vulnerability? Not that I'm aware of. > Note: to determine whether the versions are affected, and possibly > backport the patch, I tried to reproduce the issue following the > detailed advisory but without success, including on a vanilla 6.0.4: If the advisory is inaccurate we will definitely want to amend it. Dridi _______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
