Hi Tobi, On Sat, Apr 24, 2021 at 10:33:36PM +0200, Tobias Frost wrote: > Package: varnish-modules > Followup-For: Bug #985947 > Control: tags -1 unreproducible > Control: close -1 > > According to https://varnish-cache.org/security/VSV00006.html the only > affected > version is 0.17.0:
This btw, is often not enought to determine something is not affected. There are upstream which explicitly list only in their advisories, the currently affected and supported versions, other do deeper investigation and list the full range. Thus such a statement needs to be taken always with a grain of salt. > > Versions affected > > > > varnish-modules version 0.17.0 > > > > varnish-modules klarlack version 0.17.0 > > > > Notice that these versions of varnish-modules require Varnish Cache version > > 6.5 or later. > > > > Notice that users are only affected if the header.append() or header.copy() > > functions are used. > > > > Versions not affected > > > > Any version of varnish-modules compatible with Varnish Cache versions 6.4 > > and > > earlier are not affected. This includes the Varnish Cache 6.0-LTS series and > > all versions of Varnish Cache Plus. > > As we've got 0.16.0 (varnish-modules) we are not affected… Looking at the code > in question, the layout of the function was completly different at that > version, but I see the equivalent of the missing nullptr-check in the old code > > Therefore, closing the bug. If you disagree, please reopen. Looking at the code indeed, it looks to me that the respective code around checking the b variable is not present, I guess the issue was introducing while switching to strands, around commit b4d5927a2fbba31b1213225138f8432572414a24, wich indeed would be in 0.17.0 only onwards (for the varnish-modules). So I'm inclined to follow you and marking this really as not-affected for us. Moritz, do you agree? Regards, Salvatore
