Arch Linux Security Advisory ASA-201708-4
=========================================

Severity: High
Date    : 2017-08-10
CVE-ID  : CVE-2017-12425
Package : varnish
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-374

Summary
=======

The package varnish before version 5.1.3-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 5.1.3-1.

# pacman -Syu "varnish>=5.1.3-1"

The problem has been fixed upstream in version 5.1.3.

Workaround
==========

None.

Description
===========

A remote, non-authenticated denial of service has been found in varnish
< 5.1.3. A wrong if statement in the varnishd source code can trigger
an assert when processing invalid requests from the client. This causes
the varnishd worker process to abort and restart, losing the cached
contents in the process.

Impact
======

A remote attacker can crash a varnishd server by sending a crafted HTTP
request.

References
==========

https://varnish-cache.org/security/VSV00001.html#vsv00001
https://security.archlinux.org/CVE-2017-12425

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to