[ubuntu/focal-security] varnish 6.2.1-2ubuntu0.2 (Accepted)

Paulo Flabiano Smorigo pfsmorigo at canonical.com
Mon Aug 22 14:29:46 UTC 2022 

varnish (6.2.1-2ubuntu0.2) focal-security; urgency=medium

  * SECURITY REGRESSION: Incomplete fix for CVE-2020-11653 (LP: #1986627)
    - debian/patches/WS_ReserveAll.patch: Rename to CVE-2020-11653-01.patch.
    - debian/patches/WS_ReserveSize.patch: Rename to CVE-2020-11653-02.patch.
    - debian/patches/CVE-2020-11653-03.patch: Add a facility to test
      WS_ReserveSize().
    - debian/patches/CVE-2020-11653-04.patch: Correct the overflow condition in
      WS_ReserveSize().
    - debian/patches/CVE-2020-11653-05.patch: Fix copy-pasted test description.
    - debian/patches/CVE-2020-11653-06.patch: Add Session Attribute workspace
      overflow handling.
    - debian/patches/CVE-2020-11653-07.patch: Simplify WS allocation in
      tlv_string.
    - debian/patches/CVE-2020-11653-08.patch: Try to make the proxy code session
      workspace overflow test on 32-bit platforms.
    - debian/patches/CVE-2020-11653-09.patch: Adjust the workspace session size
      for 32-bit vtest machines.
    - debian/patches/CVE-2020-11653-10.patch: Handle out of session workspace in
      http1_new_session().
    - debian/patches/CVE-2020-11653-11.patch: Remove extra call to
      SES_Reserve_proto_priv().
    - debian/patches/CVE-2020-11653-12.patch: Remove call to
      SES_Reserve_proto_priv() in h2_init_sess().
    - debian/patches/CVE-2020-11653-13.patch: Handle badly formatted proxy TLVs.
    - debian/patches/CVE-2020-11653-14.patch: Add a missing assertion to
      WS_ReserveAll().
    - debian/patches/CVE-2020-11653-15.patch: Fix WS_ReserveSize calls when
      bytes is equal to free workspace.
    - debian/patches/CVE-2020-11653.patch: Rename to CVE-2020-11653-16.patch.

Date: 2022-08-19 15:14:15.676419+00:00
Changed-By: Luís Cunha dos Reis Infante da Câmara <luis.infante.da.camara at tecnico.ulisboa.pt>
Signed-By: Paulo Flabiano Smorigo <pfsmorigo at canonical.com>
https://launchpad.net/ubuntu/+source/varnish/6.2.1-2ubuntu0.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the Focal-changes mailing list