[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
This bug was fixed in the package varnish - 4.1.1-1ubuntu0.2 --- varnish (4.1.1-1ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: Correctly handle bogusly large chunk sizes (LP: #1708354) - 4.1-Correctly-handle-bogusly-large-chunk-sizes.patch - fix-ftbfs-on-i386-54b5a0.patch - CVE-2017-12425 -- Simon Quigley Mon, 07 Aug 2017 13:15:51 -0500 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
This bug was fixed in the package varnish - 5.0.0-7ubuntu0.1 --- varnish (5.0.0-7ubuntu0.1) zesty-security; urgency=medium * SECURITY UPDATE: Correctly handle bogusly large chunk sizes (LP: #1708354) - 5.0-Correctly-handle-bogusly-large-chunk-sizes.patch - CVE-2017-12425 -- Simon Quigley Mon, 07 Aug 2017 12:57:31 -0500 ** Changed in: varnish (Ubuntu Zesty) Status: Fix Committed => Fix Released ** Changed in: varnish (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
ACK on the debdiff in comment #10. I uploaded it with the revision number bumped and with the second patch added to the changelog. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
** Changed in: varnish (Ubuntu Zesty) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
** Changed in: varnish (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: varnish (Ubuntu Zesty) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
09:46:28 PM < sarnold> tsimonq2: I'm sorry to bug you about it immediately, but could you split that out into a second patch in the debdiff? that'll make it easier to revert one or the other if the need should arise in the future 09:47:00 PM < sarnold> if they were squashed from upstream, that'd be fine, but in this case they probably weren't :) Here's a follow-up debdiff for Xenial addressing that. Thanks for pointing it out, Seth! ** Patch added: "3-4.1.1-1ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+attachment/4931002/+files/3-4.1.1-1ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
Hey Marc, thanks for the tip! Attached is an updated Xenial debdiff for you. Thanks! ** Patch added: "2-4.1.1-1ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+attachment/4930992/+files/2-4.1.1-1ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
Hi Simon, The xenial i386 package failed to build in the PPA. I suspect you need to add the following patch: https://github.com/varnishcache/varnish- cache/commit/54b5a09f00c027da280361b30d32a4ff309ba3ab See the upstream bug: https://github.com/varnishcache/varnish-cache/issues/1875 Could you please fix the i386 build and submit a new debdiff? Thanks! ** Bug watch added: github.com/varnishcache/varnish-cache/issues #1875 https://github.com/varnishcache/varnish-cache/issues/1875 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
No need to patch 3.x the code is not exposed. Best regards -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
Packages are building in the security-proposed ppa https://launchpad.net /~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages -- please test. Local builds showed some symbols being removed, which I don't understand: ./usr/lib/x86_64-linux-gnu/libvarnishapi.so.1.0.4: -__isnan U ./usr/lib/x86_64-linux-gnu/varnish/vmods/libvmod_std.so: -__finite U -__isnan U Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
Attached is a debdiff for Xenial applicable to 4.1.1-1. ** Patch added: "1-4.1.1-1ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+attachment/4928514/+files/1-4.1.1-1ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: [CVE] Correctly handle bogusly large chunk sizes
Attached is a debdiff for Zesty applicable to 5.0.0-7. ** Summary changed: - VSV1 DoS vulnerability + [CVE] Correctly handle bogusly large chunk sizes ** Patch added: "1-5.0.0-7ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+attachment/4928480/+files/1-5.0.0-7ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs