Hi, On 23/04/2020 07:40, Dridi Boukelmoune wrote: > On Sat, Apr 18, 2020 at 7:18 PM Sylvain Beucler <[email protected]> wrote: >> I'm part of the Debian LTS (Long Term Support) team, I'm checking what >> Debian varnish packages are affected by CVE-2019-20637, and how to fix them. >> >> In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too >> different to apply the git patch with good confidence. >> >> I appreciate that these versions are not officially supported anymore by >> the Varnish project. Since it is common in GNU/Linux distros to provide >> security fixes to users of packaged releases when feasible, I'm >> classifying this vulnerability and looking for a fix. > > EOL series are definitely not a priority and I have other things to > look at before I can dive into this. So I will eventually revisit this > thread, or maybe someone will beat me to it if you're lucky. > >> Is there a patch for older Varnish releases, or failing that, a >> proof-of-concept that would help me trigger and fix the vulnerability? > > Not that I'm aware of. > >> Note: to determine whether the versions are affected, and possibly >> backport the patch, I tried to reproduce the issue following the >> detailed advisory but without success, including on a vanilla 6.0.4: > > If the advisory is inaccurate we will definitely want to amend it.
Thanks for your answer. Do we know in what version Trygve Tønnesland triggered the vulnerability? Regards, Sylvain Beucler Debian LTS Team _______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
