[Git][security-tracker-team/security-tracker][master] CVE-2019-20637/varnish: jessie not-affected
Sylvain Beucler
beuc at debian.org
Fri May 15 10:35:37 BST 2020
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
58040b35 by Sylvain Beucler at 2020-05-15T11:34:03+02:00
CVE-2019-20637/varnish: jessie not-affected
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3855,9 +3855,11 @@ CVE-2020-11647 (In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15
NOTE: https://www.wireshark.org/security/wnpa-sec-2020-07.html
CVE-2019-20637 (An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6 ...)
- varnish 6.4.0-1 (bug #956305)
+ [jessie] - varnish <not-affected> (Vulnerability introduced later, PoC not leaking)
NOTE: http://varnish-cache.org/security/VSV00004.html#vsv00004
NOTE: https://github.com/varnishcache/varnish-cache/commit/bd7b3d6d47ccbb5e1747126f8e2a297f38e56b8c (6.x fix)
NOTE: https://github.com/varnishcache/varnish-cache/commit/0c9c38513bdb7730ac886eba7563f2d87894d734 (test case / reproducer)
+ NOTE: Introduced in https://github.com/varnishcache/varnish-cache/commit/62932b422f311ed1224f14a216169bcdc1b77a2d (5.0)
NOTE: Case #3 implies labels introduced in https://github.com/varnishcache/varnish-cache/commit/34350d5e183ef4e04285729d1f63b784d1bc6454 (5.0)
CVE-2020-11646
RESERVED
=====================================
data/dla-needed.txt
=====================================
@@ -115,15 +115,6 @@ tomcat8
tzdata
NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto)
--
-varnish (Sylvain Beucler)
- NOTE: 20200410: There was a reworking of the functions in cache_req_fsm.c
- NOTE: 20200410: compared to HEAD, but a glance suggests that the underlying
- NOTE: 20200410: reset of err_code and err_reason still might need doing, but
- NOTE: 20200410: I don't quite understand the restart/synthetic requests. (lamby)
- NOTE: 20200424: Getting diagnostic info from upstream, cf. #956305 (Beuc)
- NOTE: 20200506: Not enough info so far, ping'd varnish-misc ML (Beuc)
- NOTE: 20200512: Not enough info so far, ping'd security contacts (Beuc)
---
xcftools (Anton Gladky)
NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58040b35d3db55baa077ffe425a0b7d8d989980b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58040b35d3db55baa077ffe425a0b7d8d989980b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200515/1cd70c27/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list