Security issues with libcurl - the curl vmod NOT affected
However, it is not affected as the curl vmod doesn't have followlocation turned on. The only way it could be affected would be if the URL you're fetching is user supplied. I've never heard of anyone doing such a thing. If you are doing such a crazy thing you should update libcurl and recompile the vmod. Varnish itself is not at all affected.