Hi. On 26/06/24 08:17 PM, Ola Lundqvist wrote: ... > > > > If I remember correctly, CVE-2024-30156 was very intrusive. But I > > didn't marked likewise as I wanted to give a try after other fixes. > > Good point. Do you still think it is worth fixing when you have worked > on the other issues, or should I mark it as ignored now?
I think its better to mark as ignored now. > > CVE-2023-44487, I did ported upstream fixes. But tests was failing. > > https://people.debian.org/~abhijith/reports/LTS_ELTS-Decemeber-2023.txt > > Where did you get the tests from? I do not see those tests in the > package. Are they from some upstream repo? > If yes, did they pass before the correction? https://github.com/varnishcache/varnish-cache/tree/varnish-6.1.1/bin/varnishtest Its also shipped in Debian source. But not performed at build time. Yes the tests were passing before my changes. (Some tests were already failing, but after patches the tests fails only increased) > > CVE-2019-20637, I have a patch locally in my machine. But I am not > > sure whether its complete and atm not access to a proper machine to > > build. Patch attached in the mail. > > It should be complete. If it is not complete the fix for bullseye is > not correct because it is the same. OK. --abhijith
