=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: amurray
[12:52] <ingvar> Hello. A local team discovered a few days ago that CVE-2020-11653 is probably _not_ fixed in Ubuntu focal. I have added our findings to https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1971504
[12:52] <ubottu> Launchpad bug 1971504 in varnish (Ubuntu) "Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Kinetic" [Medium, Fix Committed]
[12:52] <ubottu> An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11653>
[12:53] <ingvar> In short: The patch set added to fix that CVE for varnish-6.2.1 is not complete, and the version of varnish installed with latest focal updates is still potentially vulnerable for DOS attacks.
[13:12] <mdeslaur> pfsmorigo: ^
=== ephemer0l is now known as GeneralDiscourse