Public bug reported:
VSV00001 DoS vulnerability
CVE-<to be assigned, we couldn’t get one under embargo>
Date: 2017-08-02
A wrong if statement in the varnishd source code means that particular
invalid requests from the client can trigger an assert.
This causes the varnishd worker process to abort and restart, loosing
the cached contents in the process.
An attacker can therefore crash the varnishd worker process on demand
and effectively keep it from serving content - a Denial-of-Service
attack.
Mitigation is possible from VCL or by updating to a fixed version of Varnish
Cache.
Versions affected
4.0.1 to 4.0.4
4.1.0 to 4.1.7
5.0.0
5.1.0 to 5.1.2
http://varnish-cache.org/security/VSV00001.html
** Affects: varnish (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1708553
Title:
VSV00001 DoS vulnerability
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708553/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
