This updates to the 6.0.10, 6.6.2, and 7.0.2 versions of Varnish (released 2022-01-25), addressing the VSV00008 HTTP/1 Request Smuggling Vulnerability. More information here: https://varnish-cache.org/security/VSV00008.html
A couple other things to note:
This PR also updates the varnish-cache.org tarball URLs in template files to use HTTPS instead of HTTP. If there's a technical reason behind using HTTP, just let me know and I'll drop the commit, re-run populate.sh, and update this branch.
Similarly, this updates varnish-cache.org tarball URLs in template files to use the /downloads/ path (e.g., https://varnish-cache.org/downloads/varnish-7.0.2.tgz), as currently used on the Varnish website (e.g., the tarball link on the 7.0.2 release page). varnish-cache.org previously used URLs with a /_downloads/ path (e.g., https://varnish-cache.org/_downloads/varnish-7.0.2.tgz) but this changed to /downloads/ sometime in the past couple months. The /_downloads/ URLs continue to resolve (200) but this could break in the future, so it's probably best to update these URLs to align with the links on varnish-cache.org.
This updates to the 6.0.10, 6.6.2, and 7.0.2 versions of Varnish (released 2022-01-25), addressing the VSV00008 HTTP/1 Request Smuggling Vulnerability. More information here: https://varnish-cache.org/security/VSV00008.html
A couple other things to note:
populate.sh
, and update this branch./downloads/
path (e.g., https://varnish-cache.org/downloads/varnish-7.0.2.tgz), as currently used on the Varnish website (e.g., the tarball link on the 7.0.2 release page). varnish-cache.org previously used URLs with a/_downloads/
path (e.g., https://varnish-cache.org/_downloads/varnish-7.0.2.tgz) but this changed to/downloads/
sometime in the past couple months. The/_downloads/
URLs continue to resolve (200) but this could break in the future, so it's probably best to update these URLs to align with the links on varnish-cache.org.