Comment 33 for bug 1971504

This bug is still visible on Focal. This is quite serious, as it means that everybody using varnish from the default Ubuntu repos in production are still vulnerable from a DOS attack.

Focal has varnish-6.2.1 with patches. varnish-6.2.3 was released with only one fix; this CVE. Which means that most of the code changes between varnish-6.2.2 and 6.2.3 (tests and doc and stuff may be dropped) should be included in the patch set that fixes CVE-2020-11653. The patches included for 6.2.1-2ubuntu0.1 are _not_ sufficient to cover the problems.

We observed this on a live test system last week. Special calls crashed varnish' children and, varnishd asserts and throws away the cache. Which makes this a DOS attack vector.

When varnish-6.2.3 was released, upstream added a regression test for this particular bug. This means that the reproduce is trivial: Just install latest varnish from ubuntu's update repos, and run the test:

focal$ sudo apt install varnish

focal$ dpkg -l varnish | awk '/^ii/ { print $2,$3}'
varnish 6.2.1-2ubuntu0.1

focal$ wget https://raw.githubusercontent.com/varnishcache/varnish-cache/varnish-6.2.3/bin/varnishtest/tests/f00005.vtc

$focal varnishtest f00005.vtc
(...)
# top TEST f00005.vtc FAILED (0.429) exit=2

Upstream referenced mitigation, that is increase the session workspace, still works. For production use, I would recomend using varnish-6.0.x which is the upstream LTS version, and is still updated. The other varnish-6.x branches no longer maintained upstream.

Best regards,
Ingvar Hagelund
(Maintainer of varnish in Fedora)

References:
* Another instance of this particular bug on Focal: https://github.com/varnishcache/varnish-cache/issues/3822
* Upstream answer to CVE-2020-11653, including mitigation: https://varnish-cache.org/security/VSV00005.html