Detecting and fixing VSV00004 in older releases

Sylvain Beucler beuc at
Sat Apr 18 19:17:36 UTC 2020


I'm part of the Debian LTS (Long Term Support) team, I'm checking what
Debian varnish packages are affected by CVE-2019-20637, and how to fix them.

In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too
different to apply the git patch with good confidence.

I appreciate that these versions are not officially supported anymore by
the Varnish project. Since it is common in GNU/Linux distros to provide
security fixes to users of packaged releases when feasible, I'm
classifying this vulnerability and looking for a fix.

Is there a patch for older Varnish releases, or failing that, a
proof-of-concept that would help me trigger and fix the vulnerability?

Note: to determine whether the versions are affected, and possibly
backport the patch, I tried to reproduce the issue following the
detailed advisory but without success, including on a vanilla 6.0.4:

vcl 4.0;
backend default {
    .host = "";
    .port = "80";
sub vcl_deliver {
    if (req.url ~ "/2") {
        set resp.status = 123;
        set resp.reason = "blah";
sub vcl_synth {
    synthetic( {"Status: "} + resp.status + {"
Reason: "} + resp.reason + {"
XID: "} + req.xid + {"
"} );
    return (deliver);

./varnishd -F -a :6081 -f /etc/varnish/default.vcl -p max_restarts=1

curl localhost:6081/1 localhost:6081/2
-> Reason: Service Unavailable
(no leak)

Sylvain Beucler
Debian LTS Team

More information about the varnish-misc mailing list