Determining whether VSV00008 affects 4.0.x
Sylvain Beucler
beuc at beuc.net
Fri Mar 11 16:58:37 UTC 2022
Hello,
I'm working on Debian security updates, and we're looking at fixing
VSV00008 for Debian jessie (varnish 4.0.2).
AFAICT this version is not affected by VSV00008. I'm posting my findings
here in case this helps others distros or vendors.
The test case for this vulnerability (f00008.vtc) passes for 4.0.x
starting with 4.0.2.
(note: backporting the test case requires s/resp.reason/resp.msg/)
git-bissect shows that from:
https://github.com/varnishcache/varnish-cache/commit/d11d4419f3f9fa1d70e984f80c2078ea44e9e53c
(<4.0.2) "Deal with any remaining request body in cnt_synth"
until:
https://github.com/varnishcache/varnish-cache/commit/0c35ac8a7df799b53c31d8429206b928a9b9ca2b
(<4.1.0-beta1) "Use the HTTP/1 VFP's for fetching the req.body"
varnish-cache does not set "connection: keep-alive", but sets
"connection: closes" as expected, which also matches the documentation
work-around for VSV00008.
Backporting VSV00008's fix for 4.0.2 does not appear to alter this behavior.
So AFAICT we do not need to fix VSV00008 for 4.0.2 in Debian jessie.
If you think I'm mistaken I'd be grateful if you could let me know.
Cheers!
Sylvain Beucler
Debian LTS Team
More information about the varnish-misc
mailing list