CVE-2025-8671/varnish: bookworm/bullseye triage and add regression info (!247) · Merge requests · Debian Security Tracker / security-tracker

Carlos Henrique Lima Melara requested to merge charles/security-tracker:update-cve-2025-8671-varnish into master Sep 24, 2025

CVE-2025-8671's fix rely on CVE-2023-44487's fix which was triaged as "Minor issue, too intrusive to backport" in bookworm and bullseye. Therefore, we follow the same approach for CVE-2025-8671.

On the 6.0 LTS branch, CVE-2025-8671's fix is [1], which relies on h2_rapid_reset that was introduced in [2] to fix CVE-2023-44487. As pointed out in #1056156, we are not following the 6.0 LTS branch and there are a lot of commits between 6.0 LTS and 6.5.1 in bullseye, but it serves as pointers.

[1] https://github.com/varnishcache/varnish-cache/commit/7c3fac93c39260873b87f69b6178e73abb42be6b (varnish-6.0.15)

[2] https://github.com/varnishcache/varnish-cache/commit/e555093912df07fd06ba8fb164517eb92267db3a (varnish-6.0.12)

The fix for v7.7 has introduced a regression on varnish [3]. Add this info to NOTES and the commit fixing it.

[3] https://github.com/varnishcache/varnish-cache/issues/4380

Edited Sep 26, 2025 by Carlos Henrique Lima Melara

CVE-2025-8671/varnish: bookworm/bullseye triage and add regression info

Merge request reports