Varnish 3 EOL
Mark Felder
feld at feld.me
Wed Apr 15 15:29:14 CEST 2015
On Wed, Apr 15, 2015, at 03:23, Andrzej Godziuk wrote:
> Hello,
>
> Regarding the Varnish 3 EOL announcement [1], I understand that Varnish
> Software will not release security patches to Varnish 3 any more. Is
> that correct?
>
> Do you plan on cooperating with LTS Linux distributions who shipped
> Varnish 3? For example, Ubuntu 12.04 is supported until April 2017 and
> I wonder how urgent the upgrade to Varnish 4 is on systems running this
> OS.
>
> [1]
> https://www.varnish-cache.org/lists/pipermail/varnish-announce/2015-April/000702.html
>
>
I'm not aware of any LTS Linux distro that has upstream "cooperate" with
them when issues arise in versions they dropped support for. It's up to
the package maintainers to be competent enough to backport the security
fixes themselves. Sadly, there is a disconnection in the way open source
software is developed and the way Linux distros deliver it to end users.
Mistakes are made all too regularly and you end up with situations like
this:
"The fix that was included in Debian for CVE-2012-1836 is incomplete,
and does not solve the original remote code execution problem."
So if you're worried about vulnerabilities in Varnish 3.x on LTS Linux
distros I would advise you to not use their Varnish 3.x packages and to
build Varnish yourself or find a trustworthy 3rd-party package
repository that supplies packages for your favorite LTS Linux distro.
The only other solution I can think of is to use a rolling-release Linus
distro or one of the BSDs which use a rolling-release model for their
non-base system software (ports/packages).
More information about the varnish-misc
mailing list