Varnish HTTP Cache

I’m new here, please explain this Varnish thing

What is happening

Vinyl Cache - Logo and Mascot Contest

Edits: We made changes since the first publication of this call forparticipation. SeeVinyl Cache - Logo and Mascot Contest Edits.

After nearly 20 years, we decided to rename the FOSS Varnish Cache project toVinyl Cache as explained in20 years old and it is time to get serious(er).

To make this rebranding happen, we need a new logo and a mascot. This is why weopen a contest for the best design. The top 3 to 6 winners will be rewardedmonetary prizes and eternal fame among Vinyl Cache users (not guaranteed butlikely).

How can you enter this contest?

The contest consists of two categories. We encourage you to make combinedsubmissions for both, and we suspect that selecting matching submissions will bea good choice, but we can not know this upfront.

(A1) Logotype and logomark

Design a logo. The logo should consist of two elements:

  • the text “Vinyl Cache” (logotype)

  • and a graphical logo / symbol (logomark) for Vinyl Cache.

It should be possible to use the logotype and logomark both in combination witheach other and separately, so provide both visual representations.

(A2) Mascot

The mascot should be a friendly character which users and contributors to VinylCache can positively identify with. Please do not suggest characters relating tovinyl turntable records.

Some of the properties of Vinyl Cache which we think would be great to associatewith the mascot are it being

  • fast and efficient,

  • versatile,

  • resilient, working reliably under tough conditions

  • clean, secure, well tested

It should be possible to use the mascot character as a standalone visual andalso in combination with the logotype and logomark, so please provide bothvisual representations if you make submissions to both categories.

What to submit

Please regard the competition as a pitch: Our intention is to see your ideas -we do not need polished, finalized work, but rather drafts or sketches andsome idea of how your finished designs usually looks like. This can be in theform of some examples or a portfolio.

To be clear, please submit:

    1. your drafts/sketches of

    • (A1) Logotype and logomarkand/or

    • (A2) Mascot

    and

    1. your portfolio or other examples of your finished designs.

The competition entries can be in any accessible digital format like SVG, PNG orPDF.

Please do not submit entries in proprietary formats.

Winner selection

The selection process will be guided not by how finished your entries are, butrather by originality and how well your ideas represent our project, given thatyou showed that you are able to finalize your work.

You get bonus points if you provide a good approximation of the logotype andlogomark in 7 bit ASCII (sorry, no UTF-8, we live in HTTP land).

See alsoother rules below.

We promise to be as fair and objective as possible to mere mortals and thejudges will not get to see any creator identifying information (unless you putit into your submission). But other than giving our word, the selection processis entirely up to the founding members of the Vinyl Cache project and we acceptno jurisdiction of a court regarding the procedure of this competition.

Monetary prizes

We will award prizes to the three best designs either in both categoriescombined or individually.

  • top 1 winner: 1000€ or 500€ + 500€ in total

  • top 2 winner: 250€ or 125€ + 125€

  • top 3 winner: 250€ or 125€ + 125€

The Vinyl Cache project does not handle any money. These prizes are donated byour long-term contributorhttps://uplex.de/

To make clear that we want to reward the tedious work of finalizing drafts, wewill first grant the same price of 250€ (for logo and mascot) or 125€ + 125€(for logo or mascot) to all 3-6 best entries as submitted.

We will then work with the first winner for logo and/or mascot, respectively, tofinalize their work and pay out the remaining 750€ (for logo and mascot) or 375€+ 375€ (for logo or mascot) for the final design.

Timeline

Other Rules

  • You can submit as many design proposals as you wish.

  • You may not use any AI tools for the creation of your submissions.

  • You may only use fonts and other elements compatible with licensing underCCBY. You may not use any elements incurring additional license fees.

  • You get bonus karma points if you work with FOSS tools only (but we do notwant to discriminate against any artist who chooses otherwise).

  • By entering designs into the contest, you promise to make a finalized versionof your entry available under theCC BY license if selected as a winner.Note that the Vinyl Cache project will have the same rights as everyone else.

  • You are free to re-use non-winning entries for any other purpose, but we askyou to avoid a public conflict with the chosen Vinyl Cache project branding.

  • In particular, we reserve the right not to name any winners if too fewsubmissions meet our quality expectations.

  • To redeem a price, you will need to issue a formal invoice.

2025-09-15 - New release: 8.0.0 with bonus project news

We have a new major release today:8.0.0,and some major project news for you.

20 years old and it is time to get serious(er)

Slagelse, 2025-09-15

This coming february 22nd, The Varnish Cache Project will officiallybe 20 years old. We consider the first surviving commit from thesubversion-to-git conversion the official birthday of the Project.

This is as good as any excuse to take stock and make some changesso we are ready for the next 20 years.

Open Source is not what it used to be: The EU has launched abroadside of directives against software related industries, andwhile they have gone to great lengths to carve out a niche for Freeand Open Source Software, they have wisely not chosen to make it a“Get out of jail for free” card to slap “FOSS” sticker on something.

Concepts like “Maintainers”, “Stewards” and “Contributors” of FOSShave formal legal definitions now, and we need to find out how wecan and want to fit in.

Which again means we have to find out who makes that kind of decisionsfor the project, both now and in the future.

Many successful FOSS projects have spawned “Foundations” which aretypically tax-exempt benefical/charity corporations in some countryor other, but we have decided to not go there. For one thing, noneof us want to take on such a task, but more importantly: We’re areless than impressed by how well that model seems to work in practice.

We will instead form a voluntary association, a “Forening”, underthe laws of Denmark, with bylaws that set out what the goal is(develop, maintain and distribute the software), who gets to makethe decisions (a governing board appointed by the members), who canbecome members (anybody but subject to approval by the members) andthat the association cannot ever hold or handle any money.

The commented bylaws of the association will be ratified by thefounders and made public this autumn, and the first general assemblywill be on Monday February 23rd 2026 - hopefully with many membershipapplications to approve - more about that when we publish the bylaws.

We will also, at the same time, reluctantly change the name of the project.

The Varnish Cache FOSS software was initiated and sponsored by theNorvegian newspaper Verdens Gang. They hired a company called“Linpro” to handle the logistics and me to write the code.

From Linpro grew the company Varnish Software, and if anybody had,they had earned the right to use “Varnish” in their name commercially.

I was deeply worried about the potential for confusion and linedrawing issues between the commercial entity and the FOSS project,and as Varnish Software have grown to become a huge internationalcompany, those worries materialized.

I thought I had an verbal agreement with them, that “Varnish Cache”was the FOSS project and “Varnish Software” was the commercialentity, but the current position of Varnish Software’s IP-lawyersis that nobody can use “Varnish Cache” in any context, without theirexplicit permission.

The need to get permission from Varnish Software to use our ownname has already caused some potential contributors and supportersfrom engaging with the FOSS project.

We have tried to negotiatiate with Varnish Software for many monthsabout this issue, but their IP-Lawyers still insist that VarnishSoftware owns the Varnish Cache name, and at most we have beingoffered a strictly limited, subject to their veto, permissionfor the FOSS project to use the “Varnish Cache” name.

We cannot live with that: We are independent FOSS project with our own name.

So we will change the name of the project.

The new association and the new project will be named “The VinylCache Project”, and this release 8.0.0, will be the last under the“Varnish Cache” name. The next release, in March will be under thenew name, and will include compatibility scripts, to make thetransition as smooth as possible for everybody.

I want to make it absolutely clear that this is 100% a mess of mymaking: I should have insisted on a firm written agreement aboutthe name sharing, but I did not.

I will also state for the record, that there are no hard feelingsbetween Varnish Software and the FOSS project.

Varnish Software has always been, and still is, an important andvalued contributor to the FOSS project, but sometimes even friendscan make a mess of a situation.

On behalf of the Varnish Cache Project,

Poul-Henning Kamp

2025-08-20 - New releases: 7.7.3, 7.6.5 and 6.0.16

There are new releases available,7.7.3,7.6.5 and6.0.16. These address a regression fromthe handling ofVSV00017.

2025-08-13 - Varnish HTTP/2 Made You Reset Attack

Please seeVSV00017 Varnish HTTP/2 Made You Reset Attack

2025-08-13 - Security release 7.7.2

Varnish version7.7.2 is now available.This release addresses the vulnerability described inVSV00017.

2025-08-13 - Security release 7.6.4

Varnish version7.6.4 is now available.This release addresses the vulnerability described inVSV00017.

2025-08-13 - Security release 6.0.15

Varnish version6.0.15 is now available.This release addresses the vulnerability described inVSV00017.

2025-05-12 - Security release 7.7.1

Varnish versions7.7.1 is now available.This release addresses the vulnerability described inVSV00016.

2025-05-12 - Request Smuggling Attack

Please seeVSV00016 Request Smuggling Attack.

2025-05-12 - Security release 7.6.3

Varnish versions7.6.3 is now available.This release addresses the vulnerability described inVSV00016.

2025-05-12 - Security release 6.0.14

Varnish versions6.0.14 is now available.This release addresses the vulnerability described inVSV00016.

2025-03-17 - Varnish 7.7.0 is released

Our bi-annual “fresh” release is here:Varnish Cache 7.7.0

The 7.5 series is no longer supported in any capacity.

2025-03-17 - Varnish HTTP/1 client-side desync vulnerability

Please seeVSV00015 Varnish HTTP/1 client-side desync vulnerability.

2025-03-17 - Security release 7.6.2

Varnish versions7.6.2 is now available.This release addresses the vulnerability described inVSV00015.

2024-11-08 - Varnish 7.6.1 is released

Varnish 7.6.1 has been released and can be found here:Varnish Cache 7.6.1

This maintenance release fixes a few bugs introduced in 7.6.0.

2024-09-13 - Varnish 7.6.0 is released

Our bi-annual “fresh” release is here:Varnish Cache 7.6.0

The 7.4 series is no longer supported in any capacity.

2024-03-18 - Varnish 7.5.0 is released

Our bi-annual “fresh” release is here:Varnish Cache 7.5.0

The 7.3 series is no longer supported in any capacity.

2024-03-18 - Varnish HTTP/2 Broke Window Attack

All Varnish Cache releases with HTTP/2 support suffer a vulnerability inthe HTTP/2 protocol. Please seeVSV00014 Varnish HTTP/2 Broke Window Attack for more information.

2024-03-18 - Security releases: 6.0.13, 7.3.2 and 7.4.3

Varnish versions6.0.13,7.3.2 and7.4.3 are now available. These releases are published toaddress the vulnerability described inVSV00014.

2024-02-06 -SLASH/ 1.0.0-rc1

Celebrating the 18th anniversary of Varnish-Cache and the firstanniversary of theSLASH/ storage engines today, your Open-SourceVarnish-Cache friends fromUPLEX have just tagged the first version1.0.0 candidate of our extension with storage engines (stevedores) andstorage routers (loadmasters).

Over the past year, we have received a lot of helpful input from ourusers and have implemented substantial improvements. THANK YOU toeveryone who has contributed by reporting issues, providing feedbackand, just recently, adding documentation. SLASH/fellow has also helpedimprove Varnish-Cache itself.

After rigorous testing in particular over the past weeks, we nowboldly claim that SLASH/ deserves a 1.0 version tag.

HAPPY BIRTHDAY Varnish-Cache!

HAPPY BIRTHDAY SLASH/buddy and SLASH/fellow!

Continue reading:

2023-11-13 - Varnish HTTP/2 Rapid Reset Attack

All Varnish Cache releases with HTTP/2 support suffer a vulnerability inthe HTTP/2 protocol. Please seeVSV00013 Varnish HTTP/2 Rapid Reset Attack for more information.

2023-11-13 - Security releases: 6.0.12, 7.3.1 and 7.4.2

Varnish versions6.0.12,7.3.1 and7.4.2 are now available. These releases are published toaddress the vulnerability described inVSV00013.

2023-09-20 - Varnish 7.4.1 is released

Varnish 7.4.1 has been released and can be found here:Varnish Cache 7.4.1

This maintenance release fixes a bug preventing protected headersto be read from several subroutines.

2023-09-15 - Varnish 7.4.0 is released

Our bi-annual “fresh” release is here:Varnish Cache 7.4.0

The 7.2 series is no longer supported in any capacity.

2023-08-17 - VSV00012: Vulnerability in vmod_digest

Please seeVSV00012 Base64 decoding vulnerability in vmod-digest

2023-03-15 - Varnish 7.3.0 is released

Our bi-annual “fresh” release is here:Varnish Cache 7.3.0

The 7.1 series is no longer supported in any capacity.

2023-02-06 - Two new Storage Engines for Varnish-Cache

Celebrating the 17th anniversary of Varnish-Cache today, yourOpen-Source Varnish-Cache friends fromUPLEX have just released anextension with two new storage engines (stevedores) and two basicstorage routers (loadmasters). One of the storage engines,fellow,offers persistent storage on disks (or SSDs, rather).

The preferred public repository with support for issues,merge-requests and other activities is athttps://gitlab.com/uplex/varnish/slash

To read more:

2022-11-08 - Request Forgery Vulnerability

All supported versions of Varnish suffer from a request forgeryvulnerability on HTTP/2 connections. Please seeVSV00011 Varnish HTTP/2 Request Forgery Vulnerability for moreinformation.

2022-11-08 - Request Smuggling Vulnerability

Varnish Cache releases 7.1 and 7.2 suffer from a Request Smugglingvulnerability. Please seeVSV00010 Varnish Request Smuggling Vulnerability for more information.

2022-11-08 - Security releases: 6.0.11, 7.2.1 and 7.1.2

Varnish versions6.0.11,7.2.1 and7.1.2 are now available. These releases are published toaddress the vulnerabilities described inVSV00010 andVSV00011.

2022-09-15 - Varnish 7.2.0 is released

Our bi-annual “fresh” release is here:Varnish Cache 7.2.0

The 7.0 series is no longer supported in any capacity.

2022-08-09 - Denial of Service Vulnerability

Varnish Cache releases 7.0 and 7.1 suffer from a Denial of Servicevulnerability. Please seeVSV00009 Varnish Denial of Service Vulnerability for more information.

2022-08-09 - Security releases: 7.1.1 and 7.0.3

Varnish versions7.1.1 and7.0.3 arenow available. These releases fix the vulnerability described inVSV00009.

2022-03-15 - Varnish 7.1.0 is released

Our bi-annual “fresh” release is here:Varnish Cache 7.1.0

The 6.6 series is no longer supported in any capacity.

2022-01-25 - HTTP/1 Request Smuggling Vulnerability

All supported versions of Varnish suffer from a request smugglingvulnerability on HTTP/1 connections. Please seeVSV00008 Varnish HTTP/1 Request Smuggling Vulnerability for moreinformation.

2022-01-25 - Security releases: 6.0.10, 7.0.2 and 6.6.2

Varnish versions6.0.10,7.0.2 and6.6.2 are now available. These releases fix thevulnerability described inVSV00008.

2021-11-24 - Varnish 6.0.9 is released

Varnish 6.0.9 has been released and can be found here:Varnish Cache 6.0.9

This maintenance release is recommended for all users of the 6.0 LTSand contains several bug fixes.

2021-11-23 - Varnish 7.0.1 is released

Varnish 7.0.1 has been released and can be found here:Varnish Cache 7.0.1

This is a maintenance release to correct some bugs that got into the 7.0.0release.

2021-09-15 - Varnish 7.0.0 is released

Our bi-annual “fresh” release is here:Varnish Cache 7.0.0

The 6.5 series is no longer supported in any capacity.

(The 2022-03-15 release is likely to be 8.0.0)

2021-08-17 - Open Source parallel ESI for varnish-cache

On

we have released a Varnish Delivery Processor (VDP) for parallel ESI processing,which can deliver relevant speedups where portions of ESI-processed objects arenot served from cache.

ReadThe pESI Announcement for more details.

2021-07-13 - HTTP/2 Request Smuggling Vulnerability

All supported versions of Varnish suffer from a request smugglingvulnerability when the HTTP/2 support is enabled. Please seeVSV00007 Varnish HTTP/2 Request Smuggling Attack for more information.

2021-07-13 - Security releases: 6.0.8, 6.6.1 and 6.5.2

Varnish versions6.0.8,6.6.1 and6.5.2 are now available. These releases fix thevulnerability described inVSV00007.

2021-07-13 - Varnish 6.0.8 is released

We are happy to announce the release ofVarnish Cache 6.0.8.

This combined maintenance and security release is recommended for allusers of the 6.0 LTS and contains several bug fixes, improvements and newfeatures. More information is available in theChange log

2021-03-16 - Denial of Service in varnish-modules

Some versions of the separatevarnish-modules bundle allow for apotential denial of service attack when theheader.append() orheader.copy() functions are used.

Please seeVSV00006 varnish-modules Denial of Service.

2021-03-15 - Varnish 6.6.0 is released

Our bi-annual “fresh” release is here:Varnish Cache 6.6.0

(The 2021-09-15 release is likely to be 7.0.0)

2020-11-06 - Varnish 6.0.7 is released

We are happy to announce the release ofVarnish Cache 6.0.7.

This maintenance release is recommended for all users of the 6.0 LTSand contains several bug fixes, improvements and new features. Moreinformation is available in theChange log

2020-09-25 - Varnish 6.5.1 is released

When preparing the 6.5.0 release, it was forgotten to bump theVRT_MAJOR_VERSION number defined in thevrt.h include file. This majorversion bump is needed due to the API and ABI changes as part of therelease, to make sure that VMODs are not allowed used if they werecompiled for the wrong Varnish version.

This has been fixed in theVarnish Cache 6.5.1 release.

2020-09-15 - Varnish 6.5.0 is released

Come and get it…Varnish Cache 6.5.0

2020-03-16 - Varnish 6.4.0 is released

Our bi-annual “fresh” releaseVarnish Cache 6.4.0

2020-02-04 - Security Advisory: Denial of Service

All supported versions of Varnish suffer from a denial of service attackwhen using the Proxy Protocol version 2. Please seeVSV00005.

2020-02-04 - Security releases: 6.0.6, 6.2.3 and 6.3.2

Varnish versions 6.0.6, 6.2.3 and 6.3.2 are now available. SeeVSV00005 for details.

Older news

Package repository status

The official Linux (apt/yum) package repositories are now locatedat Packagecloud.io.A list of all available repositories can be found at:https://packagecloud.io/varnishcache

For more details on packages, seeReleases & Downloads

Privacy

You can access the varnish-cache homepages with HTTP or HTTPS as youlike.

We save the logfiles from our Varnish instance for a limited period,in order to be able to debug problems.

We do not use any external trackers and do not analyze traffic.