Hi, On 24/04/2020 13:23, Sylvain Beucler wrote: > On 23/04/2020 07:40, Dridi Boukelmoune wrote: >> On Sat, Apr 18, 2020 at 7:18 PM Sylvain Beucler <[email protected]> wrote: >>> I'm part of the Debian LTS (Long Term Support) team, I'm checking what >>> Debian varnish packages are affected by CVE-2019-20637, and how to fix them. >>> >>> In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too >>> different to apply the git patch with good confidence. >>> >>> I appreciate that these versions are not officially supported anymore by >>> the Varnish project. Since it is common in GNU/Linux distros to provide >>> security fixes to users of packaged releases when feasible, I'm >>> classifying this vulnerability and looking for a fix. >> >> EOL series are definitely not a priority and I have other things to >> look at before I can dive into this. So I will eventually revisit this >> thread, or maybe someone will beat me to it if you're lucky. >> >>> Is there a patch for older Varnish releases, or failing that, a >>> proof-of-concept that would help me trigger and fix the vulnerability? >> >> Not that I'm aware of. >> >>> Note: to determine whether the versions are affected, and possibly >>> backport the patch, I tried to reproduce the issue following the >>> detailed advisory but without success, including on a vanilla 6.0.4: >> >> If the advisory is inaccurate we will definitely want to amend it. > > Thanks for your answer. > > Do we know in what version Trygve Tønnesland triggered the vulnerability?
To put it differently, how would one make sure that applying bd7b3d6d47ccbb5e1747126f8e2a297f38e56b8c fixes the issue in a Debian version not explicitly referenced in VS0004, such as 6.1.1? Regards, Sylvain Beucler Debian LTS Team _______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
