Determining whether VSV00008 affects 4.0.x

Sylvain Beucler beuc at beuc.net
Fri Mar 11 16:58:37 UTC 2022


Hello,

I'm working on Debian security updates, and we're looking at fixing 
VSV00008 for Debian jessie (varnish 4.0.2).

AFAICT this version is not affected by VSV00008. I'm posting my findings 
here in case this helps others distros or vendors.

The test case for this vulnerability (f00008.vtc) passes for 4.0.x 
starting with 4.0.2.
(note: backporting the test case requires s/resp.reason/resp.msg/)

git-bissect shows that from:
https://github.com/varnishcache/varnish-cache/commit/d11d4419f3f9fa1d70e984f80c2078ea44e9e53c
(<4.0.2) "Deal with any remaining request body in cnt_synth"
until:
https://github.com/varnishcache/varnish-cache/commit/0c35ac8a7df799b53c31d8429206b928a9b9ca2b
(<4.1.0-beta1) "Use the HTTP/1 VFP's for fetching the req.body"
varnish-cache does not set "connection: keep-alive", but sets 
"connection: closes" as expected, which also matches the documentation 
work-around for VSV00008.

Backporting VSV00008's fix for 4.0.2 does not appear to alter this behavior.

So AFAICT we do not need to fix VSV00008 for 4.0.2 in Debian jessie.
If you think I'm mistaken I'd be grateful if you could let me know.

Cheers!
Sylvain Beucler
Debian LTS Team


More information about the varnish-misc mailing list