CVE-2019-15892

Advisory

Plone.recipe.varnish 6.0.0b1 sets as default version Varnish Cache 6.0.4. It includes several security fixes compared to Varnish Cache 5.x versions.
https://github.com/collective/plone.recipe.varnish/pull/75/files

Affected package

Affected versions

Fixed versions

Vulnerability changelog

--------------------

- BREAKING: only support Varnish version 6.0 LTS and generates config (VCL) for this version
only as well. If you want to use a different Varnish version with this recipe to use the
software build and runner setup, provide your own VCL and a custom link to a Varnish
download url. (Closes 70)
[fredvd]

- Update to Varnish 6.0.6 LTS security release. [fredvd]

- Set default vcl_hash value so the fallback default.vcl hash function doesn't get activated. This
will break purging because the hash from the incoming request on your public dns/hostname will
never match the internal hostname when Plone makes the purge request. (Closes 61, Refs 70)

- Add an option to modify the health-check url defaulting to Plone's /ok view.
[erral]

- Disable building sphinx documentation in the varnish-build/cmmi stage of installing the software.
[fredvd]

- Update Varnish versions. Anything below 6.0.X is officially unmaintained. Update versions 6 and 6.0 to latest version 6.0.4
[fredvd]

- Set default version to version 6, downloading 6.0.4 if no url is provided.
[fredvd]

Resources

• https://pypi.org/project/plone.recipe.varnish
• https://pyup.io/changelogs/plone.recipe.varnish/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15892