On Sun, Apr 25, 2021 at 08:14:02AM +0200, Salvatore Bonaccorso wrote: > Hi Tobi, > > On Sat, Apr 24, 2021 at 10:33:36PM +0200, Tobias Frost wrote: > > Package: varnish-modules > > Followup-For: Bug #985947 > > Control: tags -1 unreproducible > > Control: close -1 > > > > According to https://varnish-cache.org/security/VSV00006.html the only > > affected > > version is 0.17.0: > > This btw, is often not enought to determine something is not affected. > There are upstream which explicitly list only in their advisories, the > currently affected and supported versions, other do deeper > investigation and list the full range. Thus such a statement needs to > be taken always with a grain of salt.
Indeed, that's why we typically file bugs regardless unless some package is obviously not affected. > > Therefore, closing the bug. If you disagree, please reopen. > > Looking at the code indeed, it looks to me that the respective code > around checking the b variable is not present, I guess the issue was > introducing while switching to strands, around commit > b4d5927a2fbba31b1213225138f8432572414a24, wich indeed would be in > 0.17.0 only onwards (for the varnish-modules). > > So I'm inclined to follow you and marking this really as not-affected > for us. > > Moritz, do you agree? Agreed. Cheers, Moritz