On Sun, Apr 25, 2021 at 08:14:02AM +0200, Salvatore Bonaccorso wrote:
> Hi Tobi,
>
> On Sat, Apr 24, 2021 at 10:33:36PM +0200, Tobias Frost wrote:
> > Package: varnish-modules
> > Followup-For: Bug #985947
> > Control: tags -1 unreproducible
> > Control: close -1
> >
> > According to https://varnish-cache.org/security/VSV00006.html the only
> > affected
> > version is 0.17.0:
>
> This btw, is often not enought to determine something is not affected.
> There are upstream which explicitly list only in their advisories, the
> currently affected and supported versions, other do deeper
> investigation and list the full range. Thus such a statement needs to
> be taken always with a grain of salt.
Indeed, that's why we typically file bugs regardless unless some package
is obviously not affected.
> > Therefore, closing the bug. If you disagree, please reopen.
>
> Looking at the code indeed, it looks to me that the respective code
> around checking the b variable is not present, I guess the issue was
> introducing while switching to strands, around commit
> b4d5927a2fbba31b1213225138f8432572414a24, wich indeed would be in
> 0.17.0 only onwards (for the varnish-modules).
>
> So I'm inclined to follow you and marking this really as not-affected
> for us.
>
> Moritz, do you agree?
Agreed.
Cheers,
Moritz
