Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted varnish 6.5.1-1+deb11u5 (source) into oldstable-security
Date: Wed, 28 May 2025 21:40:19 +0000
Signed by: Markus Koschany <apo@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 28 May 2025 22:53:03 CEST
Source: varnish
Architecture: source
Version: 6.5.1-1+deb11u5
Distribution: bullseye-security
Urgency: high
Maintainer: Varnish Package Maintainers <team+varnish-team@tracker.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 ca160e4ed1e5963574a317b782eac41ed0cc74bd 2594 varnish_6.5.1-1+deb11u5.dsc
 2a19e12ffc743b29d4b3d472c6a362f46c1c0768 30456 varnish_6.5.1-1+deb11u5.debian.tar.xz
 c8108e28706269b70d3b73c5ab078730e91e7973 11393 varnish_6.5.1-1+deb11u5_amd64.buildinfo
Checksums-Sha256:
 44a4203fbf7cd880d7881cea4ab0c2c5058cc692f78f588b3d6133b887423379 2594 varnish_6.5.1-1+deb11u5.dsc
 01bc4d4552866874f952e931c11cda0acdc4289f2859a418e60e52ceb69eff24 30456 varnish_6.5.1-1+deb11u5.debian.tar.xz
 4091f67ce5482995eb7e795c3910dc7c8f6dd1119e8e10789dbe0bc1c10a98bb 11393 varnish_6.5.1-1+deb11u5_amd64.buildinfo
Changes:
 varnish (6.5.1-1+deb11u5) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2025-47905:
     A client-side desync vulnerability can be triggered in Varnish, a
     high-performance web accelerator. An attacker can abuse a flaw in
     Varnish’s handling of chunked transfer encoding which allows certain
     malformed HTTP/1 requests to exploit improper framing of the message body
     to smuggle additional requests. Specifically, Varnish incorrectly permits
     CRLF to be skipped to delimit chunk boundaries.
Files:
 cbe315f3a302e4308a87c3e525f5ba94 2594 web optional varnish_6.5.1-1+deb11u5.dsc
 752e1aaf796805d3ede21dd7ba224bd1 30456 web optional varnish_6.5.1-1+deb11u5.debian.tar.xz
 f1164b568d1cbd07a2386ec108f5eeac 11393 web optional varnish_6.5.1-1+deb11u5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmg3fnBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkQCUQAJyFymYZToaKyaPW5UaPR4aX75wvs4IY7Nj3
Bg7YjvaJr7E8te2fz2If/oR9oOixPbDQU/EMjYfztauXhj8lAkG9jyOAgNnLeeai
vCh3ElkqlO92ixDfjORFjxqoiRhTfO+5xE0z45goPPHM1hhXuH+7P78vWq/bzSNz
Qt5lyEYqvoPJd2KGLhHNvulAcB1gET1Uqj4XJbyag/292mGKPIjKBjHN6FruYrFR
BDpmoUOvbnGuNAS1ABKAEpmxKMRb5fldcFtc1QCs8siydXThCvJQsYBskl0MC2rb
aQqgOT1XCBYd8llm/pzbc/BMrUbHKngPswPJpiw+p6FrT6n+PE3Zp13O5o6PrQIc
VWHIK3gkGRozhPV9LUlTWoz7/YUbAvBowf0Ei8OM7bNfUsZUgQAn6GuX4Ri6kM60
OW7h5zb4CxxnnKPlf+Chyf/cPYw9uUaNaJKY9GV3G2WMJvZq9AgEYw9dFW57+s0n
GQB73Rf16QS3OGhD9wvoyWTx/choIZoivRC0yVjWV8aif0gl+TAt34Xd6z6KMi6e
YTWA/rdYVEfSpqLMwkCm5j2aMkkzE8ilT2f4x9EC+vMO9MQKtV9iHAhiSmuk6nY+
h29CHvdXjCum9Eua2SEKNuo8u2CPLKJP/8/SHz5R7lAQX7ncYvGB9w2m0vPS5QJb
GmptmFl9
=L92Q
-----END PGP SIGNATURE-----

News for package varnish