Detecting and fixing VSV00004 in older releases

Sylvain Beucler beuc at
Wed May 13 13:25:01 UTC 2020


On 13/05/2020 11:03, Dridi Boukelmoune wrote:
>> I tried to reproduce it myself today and I wasn't able to trigger the
>> leak on the master branch's commit prior to the fix. I asked
>> internally whether we have a reliable reproducer or if it's something
>> that needs a consequential workload to be observable.
> The step I was missing trying to reproduce this on my own was ensuring
> that the error reason is far enough in the client workspace to be
> leakable.
> It turns out we had a test case covering all 3 scenarios that was
> supposed to be pushed a while after the disclosure, but was forgotten.
> You can use this test case now before and after applying the patch:

Thanks a lot!

I was able to check and fix one version (6.1.1), I'll now check the others.

Sylvain Beucler
Debian LTS Team

More information about the varnish-misc mailing list