A security update for Varnish has been released for Debian GNU/Linux 9 (Stretch) as part of the Extended LTS (Long Term Support) program. Identified as ELA-1480-1, this update addresses a significant vulnerability in the Varnish Cache, specifically version 5.0.0-7+deb9u4.
The vulnerability, cataloged under CVE-2025-47905, pertains to a client-side desynchronization issue. It arises from a flaw in how Varnish handles chunked transfer encoding, a method used to send HTTP messages in pieces. Attackers can exploit this flaw by sending malformed HTTP/1 requests, which take advantage of improper message framing to smuggle additional requests into the Varnish server. The core of the problem lies in Varnish's failure to properly handle CRLF (Carriage Return Line Feed) sequences to correctly delineate chunk boundaries.
To ensure the security and integrity of systems running Varnish on Debian GNU/Linux 9, users are strongly encouraged to apply this update promptly. This will mitigate the risks associated with the identified vulnerability, thereby protecting against potential attacks that could exploit this weakness.
In addition to addressing this specific vulnerability, system administrators should regularly monitor for updates and vulnerabilities related to all installed packages, not just Varnish, to maintain a secure environment. Regular security audits and adherence to best practices in web server configuration can further enhance the security posture of applications relying on web acceleration technologies like Varnish
The vulnerability, cataloged under CVE-2025-47905, pertains to a client-side desynchronization issue. It arises from a flaw in how Varnish handles chunked transfer encoding, a method used to send HTTP messages in pieces. Attackers can exploit this flaw by sending malformed HTTP/1 requests, which take advantage of improper message framing to smuggle additional requests into the Varnish server. The core of the problem lies in Varnish's failure to properly handle CRLF (Carriage Return Line Feed) sequences to correctly delineate chunk boundaries.
To ensure the security and integrity of systems running Varnish on Debian GNU/Linux 9, users are strongly encouraged to apply this update promptly. This will mitigate the risks associated with the identified vulnerability, thereby protecting against potential attacks that could exploit this weakness.
In addition to addressing this specific vulnerability, system administrators should regularly monitor for updates and vulnerabilities related to all installed packages, not just Varnish, to maintain a secure environment. Regular security audits and adherence to best practices in web server configuration can further enhance the security posture of applications relying on web acceleration technologies like Varnish
Varnish security update for Debian 9 ELTS
A Varnish security update for Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1480-1 varnish security updateVarnish security update for Debian 9 ELTS @ Linux Compatible
