CVE-2020-11653

Name	CVE-2020-11653
Description	An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3208-1
Debian Bugs	956307

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
varnish (PTS)	jessie, jessie (lts)	4.0.2-1+deb8u1	fixed
	stretch (security), stretch (lts), stretch	5.0.0-7+deb9u3	fixed
	buster (security), buster, buster (lts)	6.1.1-1+deb10u4	fixed
	bullseye (security), bullseye	6.5.1-1+deb11u3	fixed
	bookworm	7.1.1-1.1	fixed
	sid, trixie	7.6.0-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
varnish	source	wheezy	(unfixed)	end-of-life
varnish	source	jessie	(not affected)
varnish	source	stretch	(not affected)
varnish	source	buster	6.1.1-1+deb10u4		DLA-3208-1
varnish	source	(unstable)	6.4.0-1			956307

Notes

[stretch] - varnish <not-affected> (Only affects 6.x)
[jessie] - varnish <not-affected> (Only affects 6.x)
https://varnish-cache.org/security/VSV00005.html#vsv00005
https://github.com/varnishcache/varnish-cache/commit/2d8fc1a784a1e26d78c30174923a2b14ee2ebf62