[14:23] <pfsmorigo> ingvar, hello, do you think it's possible to have a backport of the complete fix for 6.2.1 (focal version) or just mitigate the problem? (tks mdeslaur)
[14:28] <luis220413> pfsmorigo: I filed bug 1986627 for the incomplete fix.
[14:28] <ubottu> Bug 1986627 in varnish (Ubuntu) "Incomplete fix for CVE-2020-11653" [Undecided, New] https://launchpad.net/bugs/1986627
[14:30] <mdeslaur> if it's causing an issue for users, and we don't know what the fix is, we need to back out the patch and release a new package
[14:31] <luis220413> mdeslaur: The fix is known. See the last comment in bug 1971504
[14:31] <ubottu> Bug 1971504 in varnish (Ubuntu) "Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Kinetic" [Medium, Fix Committed] https://launchpad.net/bugs/1971504
[14:32] <mdeslaur> I don't see a fix in that comment
[14:33] <luis220413> mdeslaur: I mean the second-to-last comment: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1971504/comments/33
[14:33] <ubottu> Launchpad bug 1971504 in varnish (Ubuntu) "Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Kinetic" [Medium, Fix Committed]
[14:33] <luis220413> I will return in 10 minutes but I will remain online.
[14:39] <luis220413> I am back.
[15:10] <teward> luis220413: i am not the security team but it sounds like you or others are proposing a full version bump.  unless the code changes between .1 and .2 are trivial and well documented what specifically was changed and why i'm not sure how feasible that proposed fix from the fedora maintainer would be
[15:10] <luis220413> luis220413: No. The comment says: "Which means that most of the code changes between varnish-6.2.2 and 6.2.3 (tests and doc and stuff may be dropped) should be included in the patch set that fixes CVE-2020-11653."
[15:10] <ubottu> An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11653>
[15:11] <luis220413> *teward: ^
[15:12] <teward> we have .1 with patches.  including changes between .2 and .3 would be a version bump from .1 to .3.  so the changes between .1 and .2 *are* relevant as i stated
[15:12] <teward> whether we drop tests and documentation or not its still a version bump if tberes not cherrypickable changes for this
[15:13] <luis220413> teward: The changes between 6.2.1 and 6.2.2 are trivial and included in version 6.2.1-2ubuntu0.1: https://github.com/varnishcache/varnish-cache/compare/varnish-6.2.1...varnish-6.2.2
[15:13] <teward> it is, ultimately, a security team decision on whether they want to prod it with a stick and such and do these changes, but the consideration points are still there
[15:14] <luis220413> teward: The remaining changes can be cherry-picked: https://github.com/varnishcache/varnish-cache/compare/varnish-6.2.2...varnish-6.2.3
[15:26] <luis220413> ebarretto: The Xen SRU in bug 1956166 was merged! I would like you to provide a progress report on the review of my debdiff in bug 1970507.
[15:26] <ubottu> Bug 1956166 in xen (Ubuntu Focal) "Ubuntu 22.04 doesn't boot with xen" [Medium, Fix Released] https://launchpad.net/bugs/1956166
[15:27] <ubottu> Bug 1970507 in xen (Ubuntu) "No security updates since release in all Ubuntu releases" [Medium, Fix Committed] https://launchpad.net/bugs/1970507
[15:27] <luis220413> s/merged/released to focal-updates/
[16:17] <pfsmorigo> luis220413, are you going to work in a debdiff for the missing patches for CVE-2020-11653? I see 19 commits but some of them are already included.
[16:17] <ubottu> An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11653>
[16:39] <luis220413> pfsmorigo: Yes. There are 14 commits to be included in that debdiff.
[16:40] <luis220413> This CVE only affects Ubuntu 20.04.
[16:59] <luis220413> pfsmorigo: I am working on it now.
[17:21] <luis220413> pfsmorigo: I will return in 5 minutes but I will remain online. There are only 4 patches remaining.
[17:31] <luis220413> pfsmorigo: The debdiff is ready.
[17:33] <luis220413> The patched package has just been uploaded to the usual PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates).
[17:37] <luis220413> pfsmorigo: I will return in 45 minutes but remain online.
[18:03] <luis220413> I am back.