[manjaro-security] [arch-security] [ASA-201708-4] varnish: denial of service

Remi Gacogne rgacogne at archlinux.org
Thu Aug 10 23:19:38 CEST 2017


Arch Linux Security Advisory ASA-201708-4
=========================================

Severity: High
Date    : 2017-08-10
CVE-ID  : CVE-2017-12425
Package : varnish
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-374

Summary
=======

The package varnish before version 5.1.3-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 5.1.3-1.

# pacman -Syu "varnish>=5.1.3-1"

The problem has been fixed upstream in version 5.1.3.

Workaround
==========

None.

Description
===========

A remote, non-authenticated denial of service has been found in varnish
< 5.1.3. A wrong if statement in the varnishd source code can trigger
an assert when processing invalid requests from the client. This causes
the varnishd worker process to abort and restart, losing the cached
contents in the process.

Impact
======

A remote attacker can crash a varnishd server by sending a crafted HTTP
request.

References
==========

https://varnish-cache.org/security/VSV00001.html#vsv00001
https://security.archlinux.org/CVE-2017-12425

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20170810/87f77816/attachment.sig>


More information about the manjaro-security mailing list