varnish - Debian Package Tracker

general

source: varnish (main)
version: 7.1.1-1
maintainer: Varnish Package Maintainers (DMD)
uploaders: Stig Sandbeck Mathisen [DMD] – Emanuele Rocca [DMD] – Jan Wagner [DMD] – Lars Bahner [DMD]
arch: all any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 5.0.0-7+deb9u2
o-o-sec: 5.0.0-7+deb9u3
oldstable: 6.1.1-1+deb10u3
old-sec: 6.1.1-1+deb10u4
stable: 6.5.1-1+deb11u2
stable-sec: 6.5.1-1+deb11u2
testing: 7.1.1-1
unstable: 7.1.1-1

versioned links

5.0.0-7+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.0.0-7+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.1-1+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.1-1+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.5.1-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.1.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libvarnishapi-dev
libvarnishapi3
varnish (16 bugs: 0, 11, 5, 0)
varnish-doc

action needed

A new upstream version is available: 7.2.1 high

A new upstream version 7.2.1 is available, you should consider packaging it.

Created: 2022-09-17 Last update: 2022-12-04 04:10

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2022-45059: An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.
CVE-2022-45060: An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Created: 2022-11-09 Last update: 2022-11-28 02:02

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2022-45060: An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Created: 2022-11-09 Last update: 2022-11-28 02:02

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2022-45059: An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.
CVE-2022-45060: An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Created: 2022-11-09 Last update: 2022-11-28 02:02

lintian reports 1 error and 23 warnings high

Lintian reports 1 error and 23 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-10-23 Last update: 2022-10-17 12:05

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs, consider including or untagging them.

Created: 2022-07-27 Last update: 2022-12-04 09:34

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2022-10-06 Last update: 2022-12-04 04:20

13 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 32d77159575dd61ba27fe8a0e548119af1c243b6
Author: Stig Sandbeck Mathisen <ssm@debian.org>
Date:   Sat Aug 13 12:56:09 2022 +0200

    Add missing build dependency on dh addon.
    
    Changes-By: lintian-brush
    Fixes: lintian: missing-build-dependency-for-dh_-command
    See-also: https://lintian.debian.org/tags/missing-build-dependency-for-dh_-command.html

commit d0d42be62f5a3cd25d0b5c9620d670aad096f65b
Author: Stig Sandbeck Mathisen <ssm@debian.org>
Date:   Fri Aug 12 11:23:33 2022 +0200

    release

commit b765c6ff6bf3917f9b60b533c5fce2be0b71d3b9
Author: Stig Sandbeck Mathisen <ssm@debian.org>
Date:   Fri Aug 12 11:11:04 2022 +0200

    update lintian overrides

commit 6fe450a2f75b7e91b7b1ac37b58b58483c720de1
Author: Stig Sandbeck Mathisen <ssm@debian.org>
Date:   Tue Aug 9 14:02:12 2022 +0200

    changelog

commit 031242ae233e1b8fb81f6951f944448b5698ec84
Merge: a658eedc3 2e6a97d65
Author: Stig Sandbeck Mathisen <ssm@debian.org>
Date:   Tue Aug 9 14:01:58 2022 +0200

    Merge tag 'upstream/7.1.1' into debian/unstable
    
    Upstream version 7.1.1

commit 2e6a97d65174ca54281b92c1750775302bf904b1
Merge: a2045f840 7cee1c581
Author: Stig Sandbeck Mathisen <ssm@debian.org>
Date:   Tue Aug 9 14:00:29 2022 +0200

    New upstream version 7.1.1

commit 7cee1c581bead20e88d101ab3d72afb29f14d87a
Author: Martin Blix Grydeland <martin@varnish-software.com>
Date:   Thu Aug 4 14:18:08 2022 +0200

    Prepare for 7.1.1

commit 137d9814d7b214971c3ddcb04a6d68ca479f0a10
Author: Martin Blix Grydeland <martin@varnish-software.com>
Date:   Thu Aug 4 14:14:19 2022 +0200

    Add #3830 to the changelog

commit 0fb3baff7963604a55be0ed6ebdf1e4654ead219
Author: Martin Blix Grydeland <martin@varnish-software.com>
Date:   Thu Aug 4 11:04:37 2022 +0200

    Clean up assertions in http_hdr_flags()
    
    The input argument assertions and checks in http_hdr_flags() were
    misleading and lacking. With this patch it returns (NULL) on either input
    being NULL, and also when called with an empty string instead of
    asserting.

commit 19544fdc6649bd294f25314d9f609b4979b1fe48
Author: Martin Blix Grydeland <martin@varnish-software.com>
Date:   Thu Aug 4 10:59:33 2022 +0200

    Do not call http_hdr_flags() on pseudo-headers
    
    In http_EstimateWS(), all headers are passed to the http_isfiltered()
    function to calculate how many bytes is needed to serialize the entire
    struct http. http_isfiltered() will check the headers for whether they are
    going to be filtered out later and if so skip them.
    
    However http_isfiltered() would attempt to treat all elements of struct
    http as regular headers with an implicit structure. That does not hold for
    the first three pseudo-header entries, which would lead to asserts in
    later steps.
    
    This patch skips the filter step for pseudo-headers.
    
    Fixes: #3830

commit 3e22c7ab28ed2bd756445a1e595c90ec82156293
Author: Martin Blix Grydeland <martin@varnish-software.com>
Date:   Thu Aug 4 15:33:26 2022 +0200

    Follow redirects when downloading dist

commit d48636d23bb277ca8650a6174c872d74080f2859
Author: Martin Blix Grydeland <martin@varnish-software.com>
Date:   Tue Mar 15 15:52:54 2022 +0100

    Default to the 7.1 branch of pkg-varnish-plus

commit 75191239483e86beb4423162803272a1602a7635
Author: Martin Blix Grydeland <martin@varnish-software.com>
Date:   Tue Mar 15 15:43:13 2022 +0100

    Convert circleci setup to be a release branch
    
    Enable package building on commits

Created: 2022-08-10 Last update: 2022-11-27 23:07

news

[rss feed]

[2022-11-27] Accepted varnish 6.1.1-1+deb10u4 (source) into oldstable (Markus Koschany)
[2022-08-16] varnish 7.1.1-1 MIGRATED to testing (Debian testing watch)
[2022-08-12] Accepted varnish 7.1.1-1 (source) into unstable (Stig Sandbeck Mathisen)
[2022-06-20] varnish 7.1.0-6 MIGRATED to testing (Debian testing watch)
[2022-06-16] Accepted varnish 7.1.0-6 (source) into unstable (Stig Sandbeck Mathisen)
[2022-06-15] Accepted varnish 7.1.0-5 (all amd64 source) into unstable (Stig Sandbeck Mathisen)
[2022-06-14] Accepted varnish 7.1.0-4 (all amd64 source) into experimental, experimental (Debian FTP Masters) (signed by: Stig Sandbeck Mathisen)
[2022-05-06] varnish REMOVED from testing (Debian testing watch)
[2022-03-05] Accepted varnish 6.1.1-1+deb10u3 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Florian Weimer)
[2022-03-05] Accepted varnish 6.1.1-1+deb10u2 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Florian Weimer)
[2022-03-05] Accepted varnish 6.5.1-1+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Florian Weimer)
[2022-03-05] Accepted varnish 6.5.1-1+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Florian Weimer)
[2022-03-03] Accepted varnish 6.1.1-1+deb10u2 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Florian Weimer)
[2022-03-03] Accepted varnish 6.1.1-1+deb10u3 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Florian Weimer)
[2022-03-03] Accepted varnish 6.5.1-1+deb11u2 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Florian Weimer)
[2022-03-03] Accepted varnish 6.5.1-1+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Florian Weimer)
[2022-02-13] Accepted varnish 5.0.0-7+deb9u3 (source) into oldoldstable (Markus Koschany)
[2021-10-04] varnish 6.6.1-1 MIGRATED to testing (Debian testing watch)
[2021-09-18] Accepted varnish 6.6.1-1 (source) into unstable (Stig Sandbeck Mathisen)
[2021-09-09] varnish 6.5.2-1 MIGRATED to testing (Debian testing watch)
[2021-07-20] Accepted varnish 6.5.2-1 (source) into unstable (Stig Sandbeck Mathisen)
[2020-11-19] varnish 6.5.1-1 MIGRATED to testing (Debian testing watch)
[2020-11-19] varnish 6.5.1-1 MIGRATED to testing (Debian testing watch)
[2020-09-29] Accepted varnish 6.5.1-1 (source) into unstable (Stig Sandbeck Mathisen)
[2020-09-17] Accepted varnish 6.5.0-1 (source) into unstable (Stig Sandbeck Mathisen)
[2020-05-27] varnish 6.4.0-3 MIGRATED to testing (Debian testing watch)
[2020-05-24] Accepted varnish 6.4.0-3 (source) into unstable (Stig Sandbeck Mathisen)
[2020-04-25] varnish 6.4.0-2 MIGRATED to testing (Debian testing watch)
[2020-04-23] Accepted varnish 6.4.0-2 (source) into unstable (Stig Sandbeck Mathisen)
[2020-04-18] Accepted varnish 6.4.0-1 (all amd64 source) into unstable (Stig Sandbeck Mathisen)

bugs [bug history graph]

all: 21 22
RC: 0
I&N: 12 13
M&W: 6
F&P: 3
patch: 3

links

homepage
lintian (1, 23)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.6.1-1
11 bugs (1 patch)