<div dir="ltr">Hello Sylvain,<div><br></div><div>I believe the reason that you are seeing the test case succeed on 4.0.x regardless of if the fix for VSV00008 has been applied comes down to how the test case is constructed. The test case makes the Varnish server answer with a synthetic response (a response generated by VCL code internal to the Varnish server, as opposed to backend generated responses that Varnish normally delivers), because that is a convenient way to trigger the relevant code paths. And in Varnish prior to version 4.1 I believe, Varnish would always close the client connection when doing synthetic responses, meaning the test case always succeeds there.</div><div><br></div><div>Though synthetic responses are not the only way to trigger the problematic code paths in Varnish. Any request handling that would end up with Varnish wanting to read and discard the unused request body from the client socket before starting a response delivery would be susceptible to the bug. One way to test it could maybe be to use a GET request with a request body on a URL that would result in a cache hit. These would then I presume also open the vulnerability on 4.0.x, but unfortunately a test case using this approach has not been constructed.</div><div><br></div><div>When working on this vulnerability, we did not test specifically any Varnish versions prior to the supported releases, which stops at Varnish 6.0 LTS series as the oldest. Though code analysis suggests this vulnerability to be present since the very first releases, as listed in our vulnerability description.</div><div><br></div><div>Regards,</div><div>Martin Blix Grydeland</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 11 Mar 2022 at 17:59, Sylvain Beucler <<a href="mailto:beuc@beuc.net">beuc@beuc.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
I'm working on Debian security updates, and we're looking at fixing <br>
VSV00008 for Debian jessie (varnish 4.0.2).<br>
<br>
AFAICT this version is not affected by VSV00008. I'm posting my findings <br>
here in case this helps others distros or vendors.<br>
<br>
The test case for this vulnerability (f00008.vtc) passes for 4.0.x <br>
starting with 4.0.2.<br>
(note: backporting the test case requires s/resp.reason/resp.msg/)<br>
<br>
git-bissect shows that from:<br>
<a href="https://github.com/varnishcache/varnish-cache/commit/d11d4419f3f9fa1d70e984f80c2078ea44e9e53c" rel="noreferrer" target="_blank">https://github.com/varnishcache/varnish-cache/commit/d11d4419f3f9fa1d70e984f80c2078ea44e9e53c</a><br>
(<4.0.2) "Deal with any remaining request body in cnt_synth"<br>
until:<br>
<a href="https://github.com/varnishcache/varnish-cache/commit/0c35ac8a7df799b53c31d8429206b928a9b9ca2b" rel="noreferrer" target="_blank">https://github.com/varnishcache/varnish-cache/commit/0c35ac8a7df799b53c31d8429206b928a9b9ca2b</a><br>
(<4.1.0-beta1) "Use the HTTP/1 VFP's for fetching the req.body"<br>
varnish-cache does not set "connection: keep-alive", but sets <br>
"connection: closes" as expected, which also matches the documentation <br>
work-around for VSV00008.<br>
<br>
Backporting VSV00008's fix for 4.0.2 does not appear to alter this behavior.<br>
<br>
So AFAICT we do not need to fix VSV00008 for 4.0.2 in Debian jessie.<br>
If you think I'm mistaken I'd be grateful if you could let me know.<br>
<br>
Cheers!<br>
Sylvain Beucler<br>
Debian LTS Team<br>
_______________________________________________<br>
varnish-misc mailing list<br>
<a href="mailto:varnish-misc@varnish-cache.org" target="_blank">varnish-misc@varnish-cache.org</a><br>
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc" rel="noreferrer" target="_blank">https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><span><br><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:none;border-collapse:collapse"><colgroup><col width="133"><col width="417"></colgroup><tbody><tr style="height:0pt"><td style="border-bottom:0.75pt solid rgb(238,238,238);border-top:0.75pt solid rgb(238,238,238);vertical-align:top;padding:3.75pt 0pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10.5pt;font-family:"Helvetica Neue",sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:133px;height:133px"><img alt="A picture containing night sky

Description automatically generated" src="https://lh3.googleusercontent.com/hVR7rsvialkOyq7h0Y-rLbZssy9yHMiXQ8Rah5fOKtWkV4bMj-28iBTET01urrrTbpVAe1OHccU8dmx7RMW5vDBet4SzNKNDMVuvtg6Jj47wIWjwK1OH5_oJAUpTtDncO94qK44" width="133" height="133" style="margin-left: 0px; margin-top: 0px;"></span></span></p></td><td style="border-bottom:0.75pt solid rgb(238,238,238);border-top:0.75pt solid rgb(238,238,238);vertical-align:top;padding:3.75pt 0pt;overflow:hidden"><p dir="ltr" style="line-height:1.8;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:"Helvetica Neue",sans-serif;color:rgb(34,34,34);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:9pt;font-family:"Helvetica Neue",sans-serif;color:rgb(34,34,34);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">Martin Blix Grydeland</span><span style="font-size:9pt;font-family:"Helvetica Neue",sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:9pt;font-family:"Helvetica Neue",sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Senior Engineer | Varnish Software Group</span><span style="font-size:9pt;font-family:"Helvetica Neue",sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span><span style="font-size:9pt;font-family:"Helvetica Neue",sans-serif;color:rgb(102,102,102);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">Cache Smarter, Store More, Deliver Faster</span><span style="font-size:9pt;font-family:"Helvetica Neue",sans-serif;color:rgb(102,102,102);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap"><br></span><a href="http://www.varnish-software.com/" target="_blank"><span style="font-size:9pt;font-family:"Helvetica Neue",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">www.varnish-software.com</span></a></p></td></tr></tbody></table></div></span></div></div>