Detecting and fixing VSV00004 in older releases
dridi at varni.sh
Tue May 12 17:00:45 UTC 2020
> >> Do we know in what version Trygve Tønnesland triggered the vulnerability?
It was first discovered on Varnish Enterprise, and once the origin of
the leak was identified we surveyed older and newer releases and fixed
the ones listed in the advisory.
> > To put it differently, how would one make sure that applying
> > bd7b3d6d47ccbb5e1747126f8e2a297f38e56b8c fixes the issue in a Debian
> > version not explicitly referenced in VS0004, such as 6.1.1?
I tried to reproduce it myself today and I wasn't able to trigger the
leak on the master branch's commit prior to the fix. I asked
internally whether we have a reliable reproducer or if it's something
that needs a consequential workload to be observable.
> AFAICS no GNU/Linux distribution was able to fix their stable releases
> so far.
That's not too bad, there is a workaround and it is overall a niche
case. If I remember correctly when it was brought to us it wasn't a
security problem for the reporter but we recognized the bug as such.
Please note that in 2 of the 3 scenarios your VCL is incorrect in the
first place, so you have other problems to deal with more pressing
than the information leak.
More information about the varnish-misc