Detecting and fixing VSV00004 in older releases
Sylvain Beucler
beuc at beuc.net
Sat Apr 18 19:17:36 UTC 2020
Hi,
I'm part of the Debian LTS (Long Term Support) team, I'm checking what
Debian varnish packages are affected by CVE-2019-20637, and how to fix them.
In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too
different to apply the git patch with good confidence.
I appreciate that these versions are not officially supported anymore by
the Varnish project. Since it is common in GNU/Linux distros to provide
security fixes to users of packaged releases when feasible, I'm
classifying this vulnerability and looking for a fix.
Is there a patch for older Varnish releases, or failing that, a
proof-of-concept that would help me trigger and fix the vulnerability?
Note: to determine whether the versions are affected, and possibly
backport the patch, I tried to reproduce the issue following the
detailed advisory but without success, including on a vanilla 6.0.4:
/etc/vanish/default.vcl:
vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "80";
}
sub vcl_deliver {
if (req.url ~ "/2") {
set resp.status = 123;
set resp.reason = "blah";
return(restart);
}
}
sub vcl_synth {
synthetic( {"Status: "} + resp.status + {"
Reason: "} + resp.reason + {"
XID: "} + req.xid + {"
"} );
return (deliver);
}
./varnishd -F -a :6081 -f /etc/varnish/default.vcl -p max_restarts=1
curl localhost:6081/1 localhost:6081/2
-> Reason: Service Unavailable
(no leak)
Regards,
Sylvain Beucler
Debian LTS Team
More information about the varnish-misc
mailing list