ingvar | Got a question on CVE-2020-11653 aka 1971504. I think it is important. Being new to the ubuntu bug/change process, I'd like to know if there is anything else I should do to get attention to this bug. | 11:37 |
---|---|---|
ubottu | An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11653> | 11:37 |
ingvar | I have added my comments to that bug | 11:37 |
ingvar | https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1971504 | 11:42 |
ubottu | Launchpad bug 1971504 in varnish (Ubuntu) "Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Kinetic" [Medium, Fix Committed] | 11:42 |
rbasak | ingvar: that bug is confusing since it covers multiple issues. I suggest that if you want to track a specific issue in the bug tracker, you ensure that a bug exists that specifically tracks that issue only. | 12:42 |
rbasak | ingvar: we generally cherry-pick security fixes, so you if you provide a suitable debdiff that fixes just a specific issue and it meets the security team's requirements, then they can sponsor it for you. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures and https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue, and for help, use #ubuntu-security. | 12:44 |
rbasak | According to https://ubuntu.com/security/CVE-2020-11653 Ubuntu is not affected by that CVE. Is that wrong? If so, please ask in #ubuntu-security for that entry to be fixed. | 12:45 |
ubottu | An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11653> | 12:45 |
ingvar | rbasak: Thanks. Being used to the patching method in rpms, I find Debian/Ubuntu's quilt quite cumbersome. I may look into this, but I do _not_ guarantee anything. I have reported my findings in #ubuntu-security. | 12:56 |
=== xenial is now known as Guest9185 | ||
=== xenial is now known as Guest6554 | ||
=== xenial is now known as Guest6423 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!