Detecting and fixing VSV00004 in older releases

[Dridi Boukelmoune]

Bonjour Sylvain,

On Sat, Apr 18, 2020 at 7:18 PM Sylvain Beucler <beuc at beuc.net> wrote:
>
> Hi,
>
> I'm part of the Debian LTS (Long Term Support) team, I'm checking what
> Debian varnish packages are affected by CVE-2019-20637, and how to fix them.
>
> In particular, we ship 4.0.2 and 5.0.0, where cache_req_fsm.c is too
> different to apply the git patch with good confidence.
>
> I appreciate that these versions are not officially supported anymore by
> the Varnish project. Since it is common in GNU/Linux distros to provide
> security fixes to users of packaged releases when feasible, I'm
> classifying this vulnerability and looking for a fix.

EOL series are definitely not a priority and I have other things to
look at before I can dive into this. So I will eventually revisit this
thread, or maybe someone will beat me to it if you're lucky.

> Is there a patch for older Varnish releases, or failing that, a
> proof-of-concept that would help me trigger and fix the vulnerability?

Not that I'm aware of.

> Note: to determine whether the versions are affected, and possibly
> backport the patch, I tried to reproduce the issue following the
> detailed advisory but without success, including on a vanilla 6.0.4:

If the advisory is inaccurate we will definitely want to amend it.

Dridi