Your message dated Sat, 05 Mar 2022 13:17:12 +0000
with message-id <e1nquhy-000cu6...@fasolo.debian.org>
and subject line Bug#1004433: fixed in varnish 6.5.1-1+deb11u2
has caused the Debian Bug report #1004433,
regarding CVE-2022-23959: VSV00008 Varnish HTTP/1 Request Smuggling
Vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1004433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004433
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: varnish
Severity: normal
Hello!
There is a new vendor-announcement regarding a request smuggling attack
- this time affects HTTP/1 connections. It's apparently affecting all
versions >= Stretch.
https://varnish-cache.org/security/VSV00008.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959
Best Regards,
Andreas
--- End Message ---
--- Begin Message ---
Source: varnish
Source-Version: 6.5.1-1+deb11u2
Done: Florian Weimer <f...@deneb.enyo.de>
We believe that the bug you reported is fixed in the latest version of
varnish, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1004...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Weimer <f...@deneb.enyo.de> (supplier of updated varnish package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Feb 2022 14:45:59 +0100
Source: varnish
Architecture: source
Version: 6.5.1-1+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Varnish Package Maintainers <team+varnish-t...@tracker.debian.org>
Changed-By: Florian Weimer <f...@deneb.enyo.de>
Closes: 1004433
Changes:
varnish (6.5.1-1+deb11u2) bullseye-security; urgency=medium
.
* Apply upstream patch to fix: VSV00008 Varnish HTTP/1 Request Smuggling
Vulnerability (CVE-2022-23959). (Closes: #1004433)
Checksums-Sha1:
183bfeecf817e5fadbe76da8364aed87f8f3ef9e 2098 varnish_6.5.1-1+deb11u2.dsc
1784291b975985b5c5929954e3fb176f4426507c 26036
varnish_6.5.1-1+deb11u2.debian.tar.xz
bbd911533af004f985a9ee35cf1fedeb126d0170 9781
varnish_6.5.1-1+deb11u2_amd64.buildinfo
Checksums-Sha256:
663c1a22bcae55ea6618354b77dab3f4718d77367890931c8153d183f0ace907 2098
varnish_6.5.1-1+deb11u2.dsc
d5e1d17919ee22d709d7f5f9a657353222e62fe388b74ed13e9d83be94855935 26036
varnish_6.5.1-1+deb11u2.debian.tar.xz
eab4007d621387994f0d572bfdca086cfa708b599a68a9a5f7c5dfaaa6e14b4a 9781
varnish_6.5.1-1+deb11u2_amd64.buildinfo
Files:
12b443b92be54c45109d073efbac7249 2098 web optional varnish_6.5.1-1+deb11u2.dsc
f1e2117e53f2b8b0f2753fb027ca3050 26036 web optional
varnish_6.5.1-1+deb11u2.debian.tar.xz
c35e7e45053deaf80a1a973104dfbb8f 9781 web optional
varnish_6.5.1-1+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEyNPZz/qecFY/MvpUv3v/BALVJL4FAmIJE/sACgkQv3v/BALV
JL7uuAf+N1Zhbm9FZ3YzEImqPpVaO5rz0k3VBsxkc0uSwAlkkTkLfqC/rLIq0Nr7
r8LulgS2GnXRvEgl+w3NCt8Sioci/0vJidaK46JqHKdCrx3OiBwiV9oYKBNYMbj0
Oezi+5GnfC9h2u0yTf4crGJcCCbjFGDpeelytDaXGUfcfcVGFcIY5NlZG4Bd9rcr
nYALrWLCzkMcGU+8UNppGvC3dL825w7gGYNXvsaU04xHKwuVEtYrHdHzuTS8S/Jg
266Gdvnx0RZY6jQOm8IuJMc15fLC0aFKYi4fhL/tAN9LV/WJsAnhQkC7utKEMC4I
movV243rPl5iqZcBqfY7MrjNjGyYyQ==
=4CrA
-----END PGP SIGNATURE-----
--- End Message ---
