Detecting and fixing VSV00004 in older releases

Sylvain Beucler beuc at
Wed May 6 11:41:01 UTC 2020


On 24/04/2020 13:23, Sylvain Beucler wrote:
> On 23/04/2020 07:40, Dridi Boukelmoune wrote:
>> On Sat, Apr 18, 2020 at 7:18 PM Sylvain Beucler <beuc at> wrote:
>>> I'm part of the Debian LTS (Long Term Support) team, I'm checking what
>>> Debian varnish packages are affected by CVE-2019-20637, and how to fix them.
>>> In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too
>>> different to apply the git patch with good confidence.
>>> I appreciate that these versions are not officially supported anymore by
>>> the Varnish project. Since it is common in GNU/Linux distros to provide
>>> security fixes to users of packaged releases when feasible, I'm
>>> classifying this vulnerability and looking for a fix.
>> EOL series are definitely not a priority and I have other things to
>> look at before I can dive into this. So I will eventually revisit this
>> thread, or maybe someone will beat me to it if you're lucky.
>>> Is there a patch for older Varnish releases, or failing that, a
>>> proof-of-concept that would help me trigger and fix the vulnerability?
>> Not that I'm aware of.
>>> Note: to determine whether the versions are affected, and possibly
>>> backport the patch, I tried to reproduce the issue following the
>>> detailed advisory but without success, including on a vanilla 6.0.4:
>> If the advisory is inaccurate we will definitely want to amend it.
> Thanks for your answer.
> Do we know in what version Trygve Tønnesland triggered the vulnerability?

To put it differently, how would one make sure that applying
bd7b3d6d47ccbb5e1747126f8e2a297f38e56b8c fixes the issue in a Debian
version not explicitly referenced in VS0004, such as 6.1.1?

Sylvain Beucler
Debian LTS Team

More information about the varnish-misc mailing list