[11:37] <ingvar> Got a question on CVE-2020-11653 aka 1971504. I think it is important. Being new to the ubuntu bug/change process, I'd like to know if there is anything else I should do to get attention to this bug.
[11:37] <ubottu> An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11653>
[11:37] <ingvar> I have added my comments to that bug
[11:42] <ingvar> https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1971504
[11:42] <ubottu> Launchpad bug 1971504 in varnish (Ubuntu) "Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Kinetic" [Medium, Fix Committed]
[12:42] <rbasak> ingvar: that bug is confusing since it covers multiple issues. I suggest that if you want to track a specific issue in the bug tracker, you ensure that a bug exists that specifically tracks that issue only.
[12:44] <rbasak> ingvar: we generally cherry-pick security fixes, so you if you provide a suitable debdiff that fixes just a specific issue and it meets the security team's requirements, then they can sponsor it for you. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures and https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue, and for help, use #ubuntu-security.
[12:45] <rbasak> According to https://ubuntu.com/security/CVE-2020-11653 Ubuntu is not affected by that CVE. Is that wrong? If so, please ask in #ubuntu-security for that entry to be fixed.
[12:45] <ubottu> An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11653>
[12:56] <ingvar> rbasak: Thanks. Being used to the patching method in rpms, I find Debian/Ubuntu's quilt quite cumbersome. I may look into this, but I do _not_ guarantee anything. I have reported my findings in #ubuntu-security.
=== xenial is now known as Guest9185
=== xenial is now known as Guest6554
=== xenial is now known as Guest6423