Archive for February, 2022

Running varnish from EPEL7? Upgrade to varnish-6.0 LTS now

Thursday, February 17th, 2022

Yesterday I pushed an update to varnish-4.0.5 in EPEL7. It includes the following advice:

SECURITY: The varnish-4.0.x branch is marked END OF LIFE by the Varnish Cache upstream project. Please consider upgrading to varnish-6.0 LTS or newer. Links to packages compatible with VCL 4.0 and EPEL7 may be found at https://varnish-cache.org/releases/

varnish-4.0.5 is vulnerable to CVE-2022-23959. If you are unable to upgrade to a current version of varnish, consider mitigating against this attack, see instructions in the included file vsv8_epel7_varnish405.vcl

So to repeat: varnish-4.0.x is EOL. The 6.0 LTS branch may be used in VCL 4.0 mode with minimal changes, and Varnish Software provides free el7 compatible packages that are well tested for production. If you use varnish-4.0 from EPEL7 on RHEL7, CentOS7, or other clones, it is time to upgrade now. See https://packagecloud.io/varnishcache/varnish60lts/install#manual-rpm for repo details, and https://varnish-cache.org/docs/6.0/whats-new/upgrading-6.0.html for details on the upgrade process.