[Git][security-tracker-team/security-tracker][master] 3 commits: bookworm/bullseye triage of CVE-2025-8671/varnish

Fri Sep 26 04:59:26 BST 2025


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
03b2e4df by Carlos Henrique Lima Melara at 2025-09-25T23:04:24-03:00
bookworm/bullseye triage of CVE-2025-8671/varnish

CVE-2025-8671's fix rely on CVE-2023-44487's fix which was triaged as
"Minor issue, too intrusive to backport" in bookworm and bullseye.
Therefore, we follow the same approach for CVE-2025-8671.

On the 6.0 LTS branch, CVE-2025-8671's fix is [1], which relies on
h2_rapid_reset that was introduced in [2] to fix CVE-2023-44487. As
pointed out in #1056156, we are not following the 6.0 LTS branch and
there are a lot of commits between 6.0 LTS and 6.5.1 in bullseye, but
it serves as pointers.

[1] https://github.com/varnishcache/varnish-cache/commit/7c3fac93c39260873b87f69b6178e73abb42be6b (varnish-6.0.15)
[2] https://github.com/varnishcache/varnish-cache/commit/e555093912df07fd06ba8fb164517eb92267db3a (varnish-6.0.12)

- - - - -
0838def6 by Carlos Henrique Lima Melara at 2025-09-25T23:07:51-03:00
Record regression and fix for CVE-2025-8671/varnish for 7.7

- - - - -
65dc18f7 by Salvatore Bonaccorso at 2025-09-26T05:59:20+02:00
Merge branch 'update-cve-2025-8671-varnish' into 'master'

CVE-2025-8671/varnish: bookworm/bullseye triage and add regression info

See merge request security-tracker-team/security-tracker!247
- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -15796,6 +15796,8 @@ CVE-2025-8671 (A mismatch caused by client-triggered server-sent stream resets b
 	[bullseye] - h2o <postponed> (Minor issue)
 	- haproxy <not-affected> (Performs stream management correctly)
 	- varnish 7.7.2-1
+	[bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
+	[bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://kb.cert.org/vuls/id/767506
 	NOTE: https://galbarnahum.com/made-you-reset
 	NOTE: h2o: https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq
@@ -15806,6 +15808,8 @@ CVE-2025-8671 (A mismatch caused by client-triggered server-sent stream resets b
 	NOTE: varnish: https://github.com/varnishcache/varnish-cache/commit/1aa6e49201acc64ec40b55a5482d1b26e939ff1c (varnish-7.7.2)
 	NOTE: varnish: https://github.com/varnishcache/varnish-cache/commit/f960bccb5c3558ad9c49d7d01ac689c1c614f741 (varnish-7.7.2)
 	NOTE: varnish: https://github.com/varnishcache/varnish-cache/commit/7710a5da9958d1b63720e4f6565dd1d87619d4c6 (varnish-7.7.2)
+	NOTE: varnish: Regression: https://github.com/varnishcache/varnish-cache/issues/4380
+	NOTE: varnish: Regression fix: https://github.com/varnishcache/varnish-cache/commit/cfee49ee9054a238bda686666ac6e471fbbfca10 (varnish-7.7.3)
 	NOTE: Unaffected implementations not requiring code changes:
 	NOTE: - lighttpd: Cf. https://bugs.debian.org/1111140#10 . Adds detection f HTTP/2 MadeYouReset so that log
 	NOTE: watchers can be configured to block offending IPs.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59c1ae10b8dc733c11f45b103e45c758150f9bce...65dc18f7d38f222cc4840e2ea4005c0308cf1bec

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59c1ae10b8dc733c11f45b103e45c758150f9bce...65dc18f7d38f222cc4840e2ea4005c0308cf1bec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250926/1b4ce950/attachment.htm>
