Debian Bug report logs -
#881808
varnish: CVE-2017-8807: Data leak - '-sfile' Stevedore transient objects
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#881808; Package src:varnish.
(Wed, 15 Nov 2017 11:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>.
(Wed, 15 Nov 2017 11:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: varnish
Version: 5.0.0-1
Severity: serious
Tags: patch security upstream fixed-upstream
Forwarded: https://github.com/varnishcache/varnish-cache/pull/2429
Control: fixed -1 5.0.0-7+deb9u2
Hi,
the following vulnerability was published for varnish.
CVE-2017-8807[0]:
Data leak - '-sfile' Stevedore transient objects
The fix for stretch-security has already been preared and will be
released shortly, already marking the version as fixed accordingly
since prepared before.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8807
[1] https://github.com/varnishcache/varnish-cache/pull/2429
[2] https://varnish-cache.org/security/VSV00002.html
Regards,
Salvatore
Marked as fixed in versions varnish/5.0.0-7+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 15 Nov 2017 11:45:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#881808; Package src:varnish.
(Wed, 29 Nov 2017 11:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>.
(Wed, 29 Nov 2017 11:48:03 GMT) (full text, mbox, link).
Message #12 received at 881808@bugs.debian.org (full text, mbox, reply):
Hello!
On Wed, Nov 15, 2017 at 12:43:08PM +0100, Salvatore Bonaccorso wrote:
> Source: varnish
> Version: 5.0.0-1
> Severity: serious
> Tags: patch security upstream fixed-upstream
> Forwarded: https://github.com/varnishcache/varnish-cache/pull/2429
> Control: fixed -1 5.0.0-7+deb9u2
>
> Hi,
>
> the following vulnerability was published for varnish.
>
> CVE-2017-8807[0]:
> Data leak - '-sfile' Stevedore transient objects
Any news regarding the upload for unstable?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#881808; Package src:varnish.
(Wed, 29 Nov 2017 20:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stig Sandbeck Mathisen <ssm@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>.
(Wed, 29 Nov 2017 20:15:03 GMT) (full text, mbox, link).
Message #17 received at 881808@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso <carnil@debian.org> writes:
> Any news regarding the upload for unstable?
I'm building and testing it now, and it should hit unstable shortly.
--
Stig Sandbeck Mathisen
Reply sent
to Stig Sandbeck Mathisen <ssm@debian.org>:
You have taken responsibility.
(Wed, 29 Nov 2017 21:15:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Nov 2017 21:15:03 GMT) (full text, mbox, link).
Message #22 received at 881808-close@bugs.debian.org (full text, mbox, reply):
Source: varnish
Source-Version: 5.2.1-1
We believe that the bug you reported is fixed in the latest version of
varnish, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 881808@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stig Sandbeck Mathisen <ssm@debian.org> (supplier of updated varnish package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Nov 2017 20:48:23 +0100
Source: varnish
Binary: varnish varnish-doc libvarnishapi1 libvarnishapi-dev
Architecture: source
Version: 5.2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>
Changed-By: Stig Sandbeck Mathisen <ssm@debian.org>
Description:
libvarnishapi-dev - development files for Varnish
libvarnishapi1 - shared libraries for Varnish
varnish - state of the art, high-performance web accelerator
varnish-doc - documentation for Varnish Cache
Closes: 881808
Changes:
varnish (5.2.1-1) unstable; urgency=medium
.
* Imported upstream release 5.2.1 (closes: #881808, CVE-2017-8807)
* Refresh varnishreload from upstream packaging repo
Checksums-Sha1:
2ac43bfd69ba771dcaf647152b051ff965ee97cd 2476 varnish_5.2.1-1.dsc
d4ca40d4faf984ec708b77ef3d01a63c23e41802 2827676 varnish_5.2.1.orig.tar.gz
be5ed5ef44b9ce90137ffbacb3b86b0a5380226e 21644 varnish_5.2.1-1.debian.tar.xz
4c0416f6756f2d8712817256bb56baad13006467 8940 varnish_5.2.1-1_amd64.buildinfo
Checksums-Sha256:
3aba77c7f65e6fc9daa3386e09853f41dcba30ed0d29ed5a780c1c7797ea74c3 2476 varnish_5.2.1-1.dsc
b8452c9d78c16f78c8cfd1c1a1e696523bf64b7721c330150dcc0852459014b3 2827676 varnish_5.2.1.orig.tar.gz
1e87eef1c54cbc8b331c5b2d85ce2b843ba04ed8972520360f12ba63c300bfa6 21644 varnish_5.2.1-1.debian.tar.xz
525a1f7f32bdfca12f4c1fee91b22c9bece362fe457b44bb64af9c63e7b36e53 8940 varnish_5.2.1-1_amd64.buildinfo
Files:
56adb9f3311c393fd393cad1cd2d03a7 2476 web optional varnish_5.2.1-1.dsc
39e3014b36cc599c7e4951aac84bb18e 2827676 web optional varnish_5.2.1.orig.tar.gz
fafeb0f191a84b3ead3bc85ef722f93c 21644 web optional varnish_5.2.1-1.debian.tar.xz
6b8f46866c49df2d01ba42915a093083 8940 web optional varnish_5.2.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEeZ5n7uInSAMeBaLcfbqVjBwFVTgFAlofEsMACgkQfbqVjBwF
VTheTxAAwE8uOMKKJtYGXzaSbomeoafS0mM+Q/Wp7NAWqRoCC4XsG90WCZB3r1f9
9z0xUjJrYMvIbPqi8hW2jZVRl08y+c9l4p/QqVyrcWn+GnF8gOk7606Qze1ZCIy+
Az0Qnda56QBdHfftf9UW0M5IuJCHGWN1VT6e7ARnzWFCZVykCJkwlH4GhONJEzBa
39lTqAHmrGd1pHA/upOBYXxhTXmyEI7MGzCAxdtHGy+KSoXP+5ocLUWBFLc/CYf2
5pPe40nIOb+8OgoQK3ZVawR5o0nfBHx39oHFInzbBuiE+7Hj4E5cF//Gz+KkBUnY
Rs9+RNiCrpyGb8XXLYwhAavHgmEpo6bEz50O34F+hkeU45/u5pLR00LIcwoXyrTD
4fPdQY2YcRpYEor0nTFNZ+viSB5KrAqAmgEST+SPydRDFD1b1LbadXz8mBD3MjWE
Jf4eowftmQlfEUaDtoHKxPmkBLv6mVsqXQYz+YxOYv8XHM2LjUJ3aesVzZvxkrfe
TZBRgDDEZ+atj5fz4McW0twPw1mLFrSJFK6Ptel3xbjqlN0Z3V7LH8TFosUdDy82
zShO+2YOPwp8A489gEk6crA+BerPDeT4AqeJ29j0Gg7S267GaHtcwkaGBTBszjDD
5tO18uTI7FwXi8RgIxF4daCvyPCFtSN8tVmAts4zykki1Qq+/uw=
=x+1X
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 Dec 2017 07:25:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:50:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon