On Tue, Sep 03, 2019 at 10:43:55PM +0200, Steinar H. Gunderson wrote:
> tags 939333 + patch
> thanks
>
> On Tue, Sep 03, 2019 at 02:27:33PM +0200, Salvatore Bonaccorso wrote:
> > See https://varnish-cache.org/security/VSV00003.html . A CVE does not
> > seem yet to be assigned (but a request pending now).
>
> I made a backport to 6.1.1 for stable. It consists of all changes between
> 6.2.0 and 6.2.1 in git, except:
>
> - No bumping of version number or changelog.
> - Removed some unrelated change of #include order in otherwise untouched
> files.
> - The tests are not included (probably should be; I removed them as part
> of trying to backport in a slightly different fashion).
> - bin/varnishtest/vtc_http.c needed additional changes from the 6.2.0 set
> to have the end pointer vct_iscrlf() and vct_skipcrlf() now need;
> since varnishtest is not meant to be run against untrusted servers,
> I changed the patch to simply use the old, insecure versions
> (now named vct_iscrlf_unsafe() and vct_skipcrlf_unsafe()).
> - The diff has been refreshed to fix line numbers.
>
> With this patch in debian/patches/, Varnish compiles and appears to run
> normally (we already use it in production).
Thanks! I've built an updated package and verified via the reproducer
included in the tests that Varnish no longer crashes.
I've uploaded the build to security buildds, a DSA will be available tomorrow.
Cheers,
Moritz
