From ksorensen at nordija.com Thu Apr 2 08:34:59 2020 From: ksorensen at nordija.com (Kristian =?ISO-8859-1?Q?Gr=F8nfeldt_S=F8rensen?=) Date: Thu, 02 Apr 2020 10:34:59 +0200 Subject: Installation of Varnish 6.0LTS on Debian Buster Message-ID: Hi, It doesn't look like there's any Varnish 6.0LTS on packagecloud. Is there any plans for when they will be available, or is it just me who can't find them? Additionally I noticed that the link to https://varnish-cache.org/releases/rel6.0.2 from https://varnish-cache.org/docs/trunk/installation/install_debian.html results in a 404. I'm not sure what it was supposed to point to, as the changes.rst doesn't seem to contain any hints on this either. BR Kristian S?rensen From dridi at varni.sh Thu Apr 2 08:57:30 2020 From: dridi at varni.sh (Dridi Boukelmoune) Date: Thu, 2 Apr 2020 08:57:30 +0000 Subject: Installation of Varnish 6.0LTS on Debian Buster In-Reply-To: References: Message-ID: On Thu, Apr 2, 2020 at 8:36 AM Kristian Gr?nfeldt S?rensen wrote: > > Hi, > > It doesn't look like there's any Varnish 6.0LTS on packagecloud. Is > there any plans for when they will be available, or is it just me who > can't find them? > > Additionally I noticed that the link to > https://varnish-cache.org/releases/rel6.0.2 from > https://varnish-cache.org/docs/trunk/installation/install_debian.html > results in a 404. I'm not sure what it was supposed to point to, as the changes.rst doesn't seem to contain any hints on this either. Hi, https://github.com/varnishcache/pkg-varnish-cache/issues/127 https://github.com/varnishcache/pkg-varnish-cache/issues/128 *channels guillaume* I'm not sure what the current status is. Dridi From datanoise at bitjungle.info Thu Apr 2 12:57:09 2020 From: datanoise at bitjungle.info (datanoise) Date: Thu, 2 Apr 2020 14:57:09 +0200 Subject: Installation of Varnish 6.0LTS on Debian Buster In-Reply-To: References:

Message-ID: Hi > I'm not sure what the current status is. It seems like the weekly built hasn't been updated for buster lately. Latest version available on the repo is "varnish_20200131" (https://packagecloud.io/varnishcache/varnish-weekly/packages/debian/buster/varnish_20200131-weekly~buster_amd64.deb). Cheers, dn -------------- next part -------------- An HTML attachment was scrubbed... URL: From guillaume at varnish-software.com Thu Apr 2 16:10:47 2020 From: guillaume at varnish-software.com (Guillaume Quintard) Date: Thu, 2 Apr 2020 09:10:47 -0700 Subject: Installation of Varnish 6.0LTS on Debian Buster In-Reply-To: References:

Message-ID: Buster packages are systematically built by circleci: https://app.circleci.com/pipelines/github/varnishcache/varnish-cache?branch=master You can find them in the collect_packages job, as artifacts, for example: https://app.circleci.com/pipelines/github/varnishcache/varnish-cache/456/workflows/e863041c-a1d9-4697-86e4-292034cc2654/jobs/5150/artifacts Looks like we just forgot to push the buster packages, the latest ones are now in the repo. -- Guillaume Quintard On Thu, Apr 2, 2020 at 5:58 AM datanoise wrote: > Hi > > I'm not sure what the current status is. > > It seems like the weekly built hasn't been updated for buster lately. > Latest version available on the repo is "varnish_20200131" ( > https://packagecloud.io/varnishcache/varnish-weekly/packages/debian/buster/varnish_20200131-weekly~buster_amd64.deb > ). > > Cheers, > > dn > _______________________________________________ > varnish-misc mailing list > varnish-misc at varnish-cache.org > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ksorensen at nordija.com Fri Apr 3 08:34:57 2020 From: ksorensen at nordija.com (Kristian =?ISO-8859-1?Q?Gr=F8nfeldt_S=F8rensen?=) Date: Fri, 03 Apr 2020 10:34:57 +0200 Subject: Installation of Varnish 6.0LTS on Debian Buster In-Reply-To: References:

Message-ID: <1cce2faafbcf106e9dd47652a2173586520befce.camel@nordija.com> On Thu, 2020-04-02 at 08:57 +0000, Dridi Boukelmoune wrote: > On Thu, Apr 2, 2020 at 8:36 AM Kristian Gr?nfeldt S?rensen > wrote: > > Hi, > > > > It doesn't look like there's any Varnish 6.0LTS on packagecloud. Is > > there any plans for when they will be available, or is it just me > > who > > can't find them? > > > > Additionally I noticed that the link to > > https://varnish-cache.org/releases/rel6.0.2 from > > https://varnish-cache.org/docs/trunk/installation/install_debian.html > > results in a 404. I'm not sure what it was supposed to point to, > > as the changes.rst doesn't seem to contain any hints on this > > either. > > Hi, > > https://github.com/varnishcache/pkg-varnish-cache/issues/127 > https://github.com/varnishcache/pkg-varnish-cache/issues/128 > > *channels guillaume* > > I'm not sure what the current status is. > > Dridi Thanks for pointing to those, Dridi. I've added my observations on building LTS on buster to issue 127. /Kristian From guillaume at varnish-software.com Fri Apr 3 14:26:14 2020 From: guillaume at varnish-software.com (Guillaume Quintard) Date: Fri, 3 Apr 2020 07:26:14 -0700 Subject: Installation of Varnish 6.0LTS on Debian Buster In-Reply-To: <1cce2faafbcf106e9dd47652a2173586520befce.camel@nordija.com> References:

<1cce2faafbcf106e9dd47652a2173586520befce.camel@nordija.com> Message-ID: To save everyone a trip to th github issue, here was my answer over there: This is currently not planned. Buster has upgraded the jemalloc package, a central part of our memory management and that kind of change doesn't fit inside an LTS as the behavior is quite different from the old one. -- Guillaume Quintard On Fri, Apr 3, 2020 at 1:35 AM Kristian Gr?nfeldt S?rensen < ksorensen at nordija.com> wrote: > On Thu, 2020-04-02 at 08:57 +0000, Dridi Boukelmoune wrote: > > On Thu, Apr 2, 2020 at 8:36 AM Kristian Gr?nfeldt S?rensen > > wrote: > > > Hi, > > > > > > It doesn't look like there's any Varnish 6.0LTS on packagecloud. Is > > > there any plans for when they will be available, or is it just me > > > who > > > can't find them? > > > > > > Additionally I noticed that the link to > > > https://varnish-cache.org/releases/rel6.0.2 from > > > https://varnish-cache.org/docs/trunk/installation/install_debian.html > > > results in a 404. I'm not sure what it was supposed to point to, > > > as the changes.rst doesn't seem to contain any hints on this > > > either. > > > > Hi, > > > > https://github.com/varnishcache/pkg-varnish-cache/issues/127 > > https://github.com/varnishcache/pkg-varnish-cache/issues/128 > > > > *channels guillaume* > > > > I'm not sure what the current status is. > > > > Dridi > > Thanks for pointing to those, Dridi. > > I've added my observations on building LTS on buster to issue 127. > > /Kristian > > _______________________________________________ > varnish-misc mailing list > varnish-misc at varnish-cache.org > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beuc at beuc.net Sat Apr 18 19:17:36 2020 From: beuc at beuc.net (Sylvain Beucler) Date: Sat, 18 Apr 2020 21:17:36 +0200 Subject: Detecting and fixing VSV00004 in older releases Message-ID: <9ecc5065-709e-7bd7-f023-a7e58b885916@beuc.net> Hi, I'm part of the Debian LTS (Long Term Support) team, I'm checking what Debian varnish packages are affected by CVE-2019-20637, and how to fix them. In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too different to apply the git patch with good confidence. I appreciate that these versions are not officially supported anymore by the Varnish project. Since it is common in GNU/Linux distros to provide security fixes to users of packaged releases when feasible, I'm classifying this vulnerability and looking for a fix. Is there a patch for older Varnish releases, or failing that, a proof-of-concept that would help me trigger and fix the vulnerability? Note: to determine whether the versions are affected, and possibly backport the patch, I tried to reproduce the issue following the detailed advisory but without success, including on a vanilla 6.0.4: /etc/vanish/default.vcl: vcl 4.0; backend default { .host = "127.0.0.1"; .port = "80"; } sub vcl_deliver { if (req.url ~ "/2") { set resp.status = 123; set resp.reason = "blah"; return(restart); } } sub vcl_synth { synthetic( {"Status: "} + resp.status + {" Reason: "} + resp.reason + {" XID: "} + req.xid + {" "} ); return (deliver); } ./varnishd -F -a :6081 -f /etc/varnish/default.vcl -p max_restarts=1 curl localhost:6081/1 localhost:6081/2 -> Reason: Service Unavailable (no leak) Regards, Sylvain Beucler Debian LTS Team From dridi at varni.sh Thu Apr 23 05:40:22 2020 From: dridi at varni.sh (Dridi Boukelmoune) Date: Thu, 23 Apr 2020 05:40:22 +0000 Subject: Detecting and fixing VSV00004 in older releases In-Reply-To: <9ecc5065-709e-7bd7-f023-a7e58b885916@beuc.net> References: <9ecc5065-709e-7bd7-f023-a7e58b885916@beuc.net> Message-ID: Bonjour Sylvain, On Sat, Apr 18, 2020 at 7:18 PM Sylvain Beucler wrote: > > Hi, > > I'm part of the Debian LTS (Long Term Support) team, I'm checking what > Debian varnish packages are affected by CVE-2019-20637, and how to fix them. > > In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too > different to apply the git patch with good confidence. > > I appreciate that these versions are not officially supported anymore by > the Varnish project. Since it is common in GNU/Linux distros to provide > security fixes to users of packaged releases when feasible, I'm > classifying this vulnerability and looking for a fix. EOL series are definitely not a priority and I have other things to look at before I can dive into this. So I will eventually revisit this thread, or maybe someone will beat me to it if you're lucky. > Is there a patch for older Varnish releases, or failing that, a > proof-of-concept that would help me trigger and fix the vulnerability? Not that I'm aware of. > Note: to determine whether the versions are affected, and possibly > backport the patch, I tried to reproduce the issue following the > detailed advisory but without success, including on a vanilla 6.0.4: If the advisory is inaccurate we will definitely want to amend it. Dridi From beuc at beuc.net Fri Apr 24 11:23:00 2020 From: beuc at beuc.net (Sylvain Beucler) Date: Fri, 24 Apr 2020 13:23:00 +0200 Subject: Detecting and fixing VSV00004 in older releases In-Reply-To: References: <9ecc5065-709e-7bd7-f023-a7e58b885916@beuc.net> Message-ID: <38565a84-215c-a378-67df-3dbf704dd5a5@beuc.net> Hi, On 23/04/2020 07:40, Dridi Boukelmoune wrote: > On Sat, Apr 18, 2020 at 7:18 PM Sylvain Beucler wrote: >> I'm part of the Debian LTS (Long Term Support) team, I'm checking what >> Debian varnish packages are affected by CVE-2019-20637, and how to fix them. >> >> In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too >> different to apply the git patch with good confidence. >> >> I appreciate that these versions are not officially supported anymore by >> the Varnish project. Since it is common in GNU/Linux distros to provide >> security fixes to users of packaged releases when feasible, I'm >> classifying this vulnerability and looking for a fix. > > EOL series are definitely not a priority and I have other things to > look at before I can dive into this. So I will eventually revisit this > thread, or maybe someone will beat me to it if you're lucky. > >> Is there a patch for older Varnish releases, or failing that, a >> proof-of-concept that would help me trigger and fix the vulnerability? > > Not that I'm aware of. > >> Note: to determine whether the versions are affected, and possibly >> backport the patch, I tried to reproduce the issue following the >> detailed advisory but without success, including on a vanilla 6.0.4: > > If the advisory is inaccurate we will definitely want to amend it. Thanks for your answer. Do we know in what version Trygve T?nnesland triggered the vulnerability? Regards, Sylvain Beucler Debian LTS Team From yassine.aouadi90 at gmail.com Mon Apr 27 14:27:52 2020 From: yassine.aouadi90 at gmail.com (Yassine Aouadi) Date: Mon, 27 Apr 2020 16:27:52 +0200 Subject: Install latest varnish 6.0.6 lts on centos 8 Message-ID: Hello , I am looking to install the latest lts varnish version on centos 8 but didn't find the matching rpm in package-cloud.io. after disabling dnf varnish module rpm script didn't work with lts version but same worked with 6.4 . Has anyone tried to do the same on el8 ? Thanks, Yassine -------------- next part -------------- An HTML attachment was scrubbed... URL: From guillaume at varnish-software.com Mon Apr 27 14:35:28 2020 From: guillaume at varnish-software.com (Guillaume Quintard) Date: Mon, 27 Apr 2020 07:35:28 -0700 Subject: Install latest varnish 6.0.6 lts on centos 8 In-Reply-To: References: Message-ID: Hi, The current situation is that releases don't get new supported distributions, so you won't find centos:8, debian;buster or ubuntu:focal packages for it. Regards, -- Guillaume Quintard On Mon, Apr 27, 2020 at 7:29 AM Yassine Aouadi wrote: > Hello , > > I am looking to install the latest lts varnish version on centos 8 but > didn't find the matching rpm in package-cloud.io. > after disabling dnf varnish module rpm script didn't work with lts > version but same worked with 6.4 . > > Has anyone tried to do the same on el8 ? > > Thanks, > > Yassine > > > _______________________________________________ > varnish-misc mailing list > varnish-misc at varnish-cache.org > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc > -------------- next part -------------- An HTML attachment was scrubbed... URL: