Detecting and fixing VSV00004 in older releases

Sylvain Beucler beuc at
Tue May 12 16:27:18 UTC 2020


(adding security contact in Cc:)

On 06/05/2020 13:41, Sylvain Beucler wrote:
> On 24/04/2020 13:23, Sylvain Beucler wrote:
>> On 23/04/2020 07:40, Dridi Boukelmoune wrote:
>>> On Sat, Apr 18, 2020 at 7:18 PM Sylvain Beucler <beuc at> wrote:
>>>> I'm part of the Debian LTS (Long Term Support) team, I'm checking what
>>>> Debian varnish packages are affected by CVE-2019-20637, and how to fix them.
>>>> In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too
>>>> different to apply the git patch with good confidence.
>>>> I appreciate that these versions are not officially supported anymore by
>>>> the Varnish project. Since it is common in GNU/Linux distros to provide
>>>> security fixes to users of packaged releases when feasible, I'm
>>>> classifying this vulnerability and looking for a fix.
>>> EOL series are definitely not a priority and I have other things to
>>> look at before I can dive into this. So I will eventually revisit this
>>> thread, or maybe someone will beat me to it if you're lucky.
>>>> Is there a patch for older Varnish releases, or failing that, a
>>>> proof-of-concept that would help me trigger and fix the vulnerability?
>>> Not that I'm aware of.
>>>> Note: to determine whether the versions are affected, and possibly
>>>> backport the patch, I tried to reproduce the issue following the
>>>> detailed advisory but without success, including on a vanilla 6.0.4:
>>> If the advisory is inaccurate we will definitely want to amend it.
>> Thanks for your answer.
>> Do we know in what version Trygve Tønnesland triggered the vulnerability?
> To put it differently, how would one make sure that applying
> bd7b3d6d47ccbb5e1747126f8e2a297f38e56b8c fixes the issue in a Debian
> version not explicitly referenced in VS0004, such as 6.1.1?

AFAICS no GNU/Linux distribution was able to fix their stable releases
so far.

We'd greatly appreciate information on reproducing the issue (such as
configuration file and curl request), to determine if our packages are
affected and whether we properly fixed them when attempting to backport
the fix.  Cf. the start of the thread for my current attempt

In case you currently don't have the resources, would you mind
(privately) sharing the finder's contact with me so I can gather more

Sylvain Beucler
Debian LTS Team

More information about the varnish-misc mailing list