Hi Andreas, Sorry for the delay, busy yesterday.
On Wed, Feb 23, 2022 at 11:23:38AM +0100, Andreas Unterkircher wrote: > Hello Salvatore! > > > Those updates were already prepared by Florian Weimer, but we need > > someone using it to actually test the updates as it includes other CVE > > fixes (namely CVE-2021-36740). If you are interested to test (yet > > unofficial) debs, let us know, this might speed up a bit the DSA > > release ;-) > > I'm not sure how to exploit this two flaws - so I probably can't verify if > the updates by Florian are then ultimately fixing the security-issues. But I > can verify that the updated software-packages would basically work on some > real-life systems. If that would already help you - feel free to share :) thank you! Unofficial and amd64 only builds (including the source in case you want to built it on your own) are at: https://people.debian.org/~carnil/tmp/varnish/ Would be great if you can test the packages in production, even if not explicitly for the two CVEs so we can get some more confidence. Regards, Salvatore
