SearchVarnish Enterprise running on Debian Bookworm with openssl/3.0.17-1~deb12u1 installed is affected by a bug in this specific version of OpenSSL. The Docker images provided by Varnish Software are built on Debian Bookworm, and are therefore affected by this.
The bug may cause a race condition, which manifests itself as a panic of the child process.
If varnishd is already running, the panic may be triggered which will force the child process to stop. The child will be started automatically again.
If varnishd is being started, the panic may be triggered during startup making the startup process to fail. It is possible that another restart will succeed, depending on the configuration.
The panic that may be triggered in Varnish Enterprise by this OpenSSL bug can look like this:
$ sudo varnishadm panic.show
Panic at: Tue, 05 Aug 2025 13:23:33 GMT
Wrong turn at cache/cache_main.c:371:
Signal 6 (Aborted) received at 0x67000c5132 si_code -6
version = varnish-plus-6.0.14r8 revision a8aa519ab8b7370a9b97ffcfa995cb0868333b3c, vrt api = 6010.0
ident = Linux,6.1.0-37-amd64,x86_64,-jlinux,-smse,-hcritbit,epoll
now = 2495767.700688 (mono), 1754400213.590727 (real)
Backtrace:
ip=0x55cddb169855 sp=0x7ff499a3e380 <VBT_format+0x65>
ip=0x55cddb06d020 sp=0x7ff499a3e4a0 <pan_ic+0x210>
ip=0x55cddb165c25 sp=0x7ff499a3e5b0 <VAS_Fail_Dump+0x15>
ip=0x55cddb165a0f sp=0x7ff499a3e5c0 <VAS_Fail+0xf>
ip=0x55cddb0654b2 sp=0x7ff499a3e5d0 <child_signal_handler+0x112>
ip=0x7ff49a7ac050 sp=0x7ff499a3eac0 <__sigaction+0x40>
ip=0x7ff49a7faeec sp=0x7ff492d3b5e0 <pthread_key_delete+0x14c>
ip=0x7ff49a7abfb2 sp=0x7ff492d3b620 <gsignal+0x12>
ip=0x7ff49a796472 sp=0x7ff492d3b630 <abort+0xd3>
ip=0x7ff49a796395 sp=0x7ff492d3b6f0
ip=0x7ff49a7a4ec2 sp=0x7ff492d3b740 <__assert_fail+0x42>
ip=0x7ff49a7fc54d sp=0x7ff492d3b770 <pthread_mutex_lock+0x1dd>
ip=0x55cddb1a3b1b sp=0x7ff492d3b790 <je_tcache_bin_flush_small+0x23b>
ip=0x55cddb1823d1 sp=0x7ff492d3b820 <ifree+0x321>
ip=0x7ff49a83fedd sp=0x7ff492d3b860 <closedir+0xd>
ip=0x7ff49ac3483e sp=0x7ff492d3b870 <OPENSSL_DIR_end+0x1e>
ip=0x7ff49ad377d0 sp=0x7ff492d3b890 <X509_get0_reject_objects+0x49530>
ip=0x7ff49acaf8d6 sp=0x7ff492d3b8a0 <OPENSSL_sk_is_sorted+0x1a6>
ip=0x7ff49acb069e sp=0x7ff492d3b8c0 <OSSL_STORE_close+0xe>
ip=0x7ff49acc02c8 sp=0x7ff492d3b8e0 <X509_load_cert_crl_file+0xc8>
ip=0x7ff49acc043d sp=0x7ff492d3b960 <X509_load_cert_crl_file+0x23d>
ip=0x7ff49acdc1fb sp=0x7ff492d3b9b0 <X509_STORE_CTX_get_by_subject+0xeb>
ip=0x7ff49acdca6a sp=0x7ff492d3ba20 <X509_STORE_CTX_get1_issuer+0x6a>
ip=0x7ff49ace0e87 sp=0x7ff492d3ba80 <X509_cmp_time+0x667>
ip=0x7ff49ace2ad6 sp=0x7ff492d3bb10 <X509_get_pubkey_parameters+0x176>
ip=0x7ff49ace3bac sp=0x7ff492d3bb80 <X509_verify_cert+0xbc>
ip=0x7ff49af81920 sp=0x7ff492d3bbb0 <SSL_get_ex_data_X509_STORE_CTX_idx+0xda0>
ip=0x7ff49afbf52e sp=0x7ff492d3bbe0 <SSL_in_before+0x476e>
ip=0x7ff49afbb765 sp=0x7ff492d3bc10 <SSL_in_before+0x9a5>
ip=0x55cddb12deda sp=0x7ff492d3bcc0 <VTLS_do_handshake+0x6a>
ip=0x55cddb12bd87 sp=0x7ff492d3bd10 <bssl_vtp_init+0x257>
ip=0x55cddb04200f sp=0x7ff492d3bd70 <vtp_bssl_open+0x1ff>
ip=0x55cddb04372d sp=0x7ff492d3bdd0 <VCP_Open+0x6d>
ip=0x55cddb043d0d sp=0x7ff492d3be20 <VCP_Get+0x13d>
ip=0x55cddb03602f sp=0x7ff492d3be80 <vbp_poke+0x14f>
ip=0x55cddb036e27 sp=0x7ff492d3e030 <vbp_task+0x87>
ip=0x55cddb09f3b1 sp=0x7ff492d3e050 <WRK_Thread+0x2d1>
ip=0x55cddb09fa20 sp=0x7ff492d3ec40 <pool_thread+0x90>
ip=0x7ff49a7f91f5 sp=0x7ff492d3ec60 <pthread_condattr_setpshared+0x515>
ip=0x7ff49a87989c sp=0x7ff492d3ed00 <__xmknodat+0x23c>
addr = (nil),
errno = 9 (Bad file descriptor)
thread = (cache-worker)
thr.req = (nil) {
},
thr.busyobj = (nil) {
},
[...]
The bug was introduced with OpenSSL 3.0.17, which is currently only provided by Debian Bookworm. The problematic version in Debian Bookworm is openssl/3.0.17-1~deb12u1, which was released on the 4th of August 2025. Debian is currently working on deploying a fixed version of this package that reverts the problematic commits from OpenSSL.
The fixed package which reverts the problematic commits is called openssl/3.0.17-1~deb12u2. At the time of this writing, this package is proposed for release in the Debian release system and is in their staging environment pending release.
OpenSSL is also working on providing a fix.
If it is not possible to wait for the proper fix to be made available by Debian, the following workarounds can be considered:
Manually downloading and upgrading the fixed version of OpenSSL 3.0.17 from Debian:
wget https://ftp.debian.org/debian/pool/main/o/openssl/libssl3_3.0.17-1~deb12u2_amd64.deb
sudo dpkg -i libssl3_3.0.17-1\~deb12u2_amd64.deb
OpenSSL can be downgraded to openssl/3.0.16-1~deb12u1. OpenSSH is dependent on OpenSSL, so care must be taken when downgrading. An example command that can be used to downgrade is:
sudo apt-get install libssl3=3.0.16-1~deb12u1 openssh-server=1:9.2p1-2+deb12u6 openssh-client=1:9.2p1-2+deb12u6 openssh-sftp-server=1:9.2p1-2+deb12u6
If using the currently latest Docker image from Varnish Software, the previous image can temporarily be used instead. This specific previous image is quay.io/varnish-software/varnish-plus:6.0.14r7.
Disclaimer: As this is still work in progress, the timeline below is subject to change.
2025-07-01
2025-08-04
openssl/3.0.17-1~deb12u1 in the repository bookworm-updates.2025-08-08