Hi, On Wed, Feb 23, 2022 at 09:40:39AM +0100, Andreas Unterkircher wrote: > I know we (or most of us) are volunteers working on Debian. But I have to > admit I'm a bit worried that we haven't patched this critical > cache-poisoning vulnerability in Varnish for one month (except in Debian > Stretch LTS). > > Attached patches containing the fixes for CVE-2022-23959. > > For Debian Buster I took them from the Varnish 6.0 LTS branch: > > https://github.com/varnishcache/varnish-cache/commit/dcbe8b9ebf5b352e2534fc5645afa1d9747e9647 > https://github.com/varnishcache/varnish-cache/commit/b8351f7f6231315f0fe00410b91893235eb29f57 > > For Debian Bullseye from the Varnish 6.6 branch: > > https://github.com/varnishcache/varnish-cache/commit/9ed39d1f796369caafb647fe37b729c07f332327 > https://github.com/varnishcache/varnish-cache/commit/ec531e16b9cd139bbf8971c5b306561c669681f4
Those updates were already prepared by Florian Weimer, but we need someone using it to actually test the updates as it includes other CVE fixes (namely CVE-2021-36740). If you are interested to test (yet unofficial) debs, let us know, this might speed up a bit the DSA release ;-) Regards, Salvatore