Hi,
As part of Debian LTS, I'm checking what versions are affected (esp.
4.x) and how to fix them (as cache_req_fsm.c in 4.x and 5.x is too
different to apply the patch).
Did anybody from Debian contact upstream for a PoC or an alternate patch
yet?
Otherwise I'll do it.
Right now I tried to reproduce the issue following the advisory but
without success, including on upstream 6.0.4:
/etc/vanish/default.vcl:
vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "80";
}
sub vcl_deliver {
if (req.url ~ "/2") {
set resp.status = 123;
set resp.reason = "blah";
return(restart);
}
}
sub vcl_synth {
synthetic( {"Status: "} + resp.status + {"
Reason: "} + resp.reason + {"
XID: "} + req.xid + {"
"} );
return (deliver);
}
./varnishd -F -a :6081 -f /etc/varnish/default.vcl -p max_restarts=1
curl localhost:6081/1 localhost:6081/2
-> Reason: Service Unavailable
(no leak)
Cheers!
Sylvain
