[Git][security-tracker-team/security-tracker][master] CVE-2019-20637/varnish: jessie not-affected

Fri May 15 10:35:37 BST 2020


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
58040b35 by Sylvain Beucler at 2020-05-15T11:34:03+02:00
CVE-2019-20637/varnish: jessie not-affected

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3855,9 +3855,11 @@ CVE-2020-11647 (In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-07.html
 CVE-2019-20637 (An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6 ...)
 	- varnish 6.4.0-1 (bug #956305)
+	[jessie] - varnish <not-affected> (Vulnerability introduced later, PoC not leaking)
 	NOTE: http://varnish-cache.org/security/VSV00004.html#vsv00004
 	NOTE: https://github.com/varnishcache/varnish-cache/commit/bd7b3d6d47ccbb5e1747126f8e2a297f38e56b8c (6.x fix)
 	NOTE: https://github.com/varnishcache/varnish-cache/commit/0c9c38513bdb7730ac886eba7563f2d87894d734 (test case / reproducer)
+	NOTE: Introduced in https://github.com/varnishcache/varnish-cache/commit/62932b422f311ed1224f14a216169bcdc1b77a2d (5.0)
 	NOTE: Case #3 implies labels introduced in https://github.com/varnishcache/varnish-cache/commit/34350d5e183ef4e04285729d1f63b784d1bc6454 (5.0)
 CVE-2020-11646
 	RESERVED


=====================================
data/dla-needed.txt
=====================================
@@ -115,15 +115,6 @@ tomcat8
 tzdata
   NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto)
 --
-varnish (Sylvain Beucler)
-  NOTE: 20200410: There was a reworking of the functions in cache_req_fsm.c
-  NOTE: 20200410: compared to HEAD, but a glance suggests that the underlying
-  NOTE: 20200410: reset of err_code and err_reason still might need doing, but
-  NOTE: 20200410: I don't quite understand the restart/synthetic requests. (lamby)
-  NOTE: 20200424: Getting diagnostic info from upstream, cf. #956305 (Beuc)
-  NOTE: 20200506: Not enough info so far, ping'd varnish-misc ML (Beuc)
-  NOTE: 20200512: Not enough info so far, ping'd security contacts (Beuc)
---
 xcftools (Anton Gladky)
   NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
   NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58040b35d3db55baa077ffe425a0b7d8d989980b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58040b35d3db55baa077ffe425a0b7d8d989980b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200515/1cd70c27/attachment-0001.html>
