** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12425
** Changed in: varnish (Ubuntu)
Status: Incomplete => Opinion
** Changed in: varnish (Ubuntu)
Status: Opinion => In Progress
** Description changed:
https://varnish-cache.org/security/VSV00001.html
- CVE-<to be assigned, we couldn’t get one under embargo>
+ CVE-2017-12425
Date: 2017-08-02
A wrong if statement in the varnishd source code means that particular
invalid requests from the client can trigger an assert.
This causes the varnishd worker process to abort and restart, loosing
the cached contents in the process.
An attacker can therefore crash the varnishd worker process on demand
and effectively keep it from serving content - a Denial-of-Service
attack.
Mitigation is possible from VCL or by updating to a fixed version of Varnish
Cache.
Versions affected
- 4.0.1 to 4.0.4
- 4.1.0 to 4.1.7
- 5.0.0
- 5.1.0 to 5.1.2
+ 4.0.1 to 4.0.4
+ 4.1.0 to 4.1.7
+ 5.0.0
+ 5.1.0 to 5.1.2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1708354
Title:
[CVE] Correctly handle bogusly large chunk sizes
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
