Detecting and fixing VSV00004 in older releases
Sylvain Beucler
beuc at beuc.net
Fri Apr 24 11:23:00 UTC 2020
Hi,
On 23/04/2020 07:40, Dridi Boukelmoune wrote:
> On Sat, Apr 18, 2020 at 7:18 PM Sylvain Beucler <beuc at beuc.net> wrote:
>> I'm part of the Debian LTS (Long Term Support) team, I'm checking what
>> Debian varnish packages are affected by CVE-2019-20637, and how to fix them.
>>
>> In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too
>> different to apply the git patch with good confidence.
>>
>> I appreciate that these versions are not officially supported anymore by
>> the Varnish project. Since it is common in GNU/Linux distros to provide
>> security fixes to users of packaged releases when feasible, I'm
>> classifying this vulnerability and looking for a fix.
>
> EOL series are definitely not a priority and I have other things to
> look at before I can dive into this. So I will eventually revisit this
> thread, or maybe someone will beat me to it if you're lucky.
>
>> Is there a patch for older Varnish releases, or failing that, a
>> proof-of-concept that would help me trigger and fix the vulnerability?
>
> Not that I'm aware of.
>
>> Note: to determine whether the versions are affected, and possibly
>> backport the patch, I tried to reproduce the issue following the
>> detailed advisory but without success, including on a vanilla 6.0.4:
>
> If the advisory is inaccurate we will definitely want to amend it.
Thanks for your answer.
Do we know in what version Trygve Tønnesland triggered the vulnerability?
Regards,
Sylvain Beucler
Debian LTS Team
More information about the varnish-misc
mailing list