Security, bugs & vulnerabilities¶
Rev. 2021-08-17 phk
List of all Varnish CVEs¶
Versions |
CVE |
What |
|---|---|---|
5.x, 6.x, 7.x |
||
5.x, 6.x, 7.x |
||
vmod_digest |
||
6.x, 7.x |
||
7.0, 7.1, 7.2 |
||
7.0, 7.1 |
||
< 7.0.2 |
||
6.0, 6.5, 6.6 |
||
(6.5) |
||
6.0, 6.2, 6.3 |
||
6.0, 6.2, 6.3 |
||
6.0, 6.2 |
||
4.1, 5.2 |
||
4.x, 5.x |
||
< 3.0.5 |
DoS |
|
<= 3.0.3 |
Local information leak |
|
2.0.6 |
Trophy hunting |
|
< 2.1.0 |
Trophy hunting |
We take security and quality very seriously in the Varnish project, and we are more than a little proud that it took eleven years before we had a major security issue.
I have found a security hole¶
Send email to Poul-Henning, Nils and Martin: Email addresses and GPG keys
I want to hear about security vulnerabilities¶
Subscribe to the Varnish Announce mailing list
Vulnerabilities are and will also be listed further at the top of this page when they are new and further down when they get older.
I’m a VIVU goddammit!¶
Varnish users come in all sizes and importance, some are private homepages, some are global CDNs, national governments or major news outlets.
We want to provide some way to for Varnish users to get early warning about future security incidents, but we do not want to pass judgement on who are “Very Important Varnish Users” and much less to we want to try to keep a list of up to date contact information for a list that long.
We also don’t want to make this information free, because if we did, every criminal and his brother would sign up, to get a head start against the Varnish users.
The rule going forward is therefore that if you contributed at least EUR240 towards a Varnish Moral License in the 12 months previous to the disclosure-date, you will get early warning about security issues.
On a case-by-case basis and purely at our discretion, we will also extend this privilege to people who have contributed significantly to the project in other ways.
Security Politics¶
To be totally honest, this is section is quite speculative, we have very little experience in this area, but this is how I expect we would react to a major security issue:
Assign a VSV number
Try to get a CVE assigned.
Create a VCL workaround, if at all possible.
Fix the problem.
If it makes sense (ie: no VCL workaround), roll a point-release.
Announce on announce@varnish-cache.org and homepage.
Kick ourselves, for months, for missing the bug.
Define “Major”¶
As you will notice if you peruse the CVEs listed above, we are not kindly inclined to trophy-hunting and shrill alarmism.
If security advisories are to have any utility, they should be both rare and relevant.
In particularly we do not consider it a security vulnerability that somebody has a different taste in program architecture, or that aliens might be able to DoS varnish servers if they have invented quantum computers we cannot even comprehend.
On the other hand, if we find anything, on our own or thanks to external contributors, which imperil Varnish users, we will not hesitate to issue a CVE to get peoples attention.
11 years, really?¶
Yes, indeed. Luck probably has a lot to do with it, but luck tends to favour the well-prepared, and we have had a big focus on quality since the very start.
