Den 31. okt. 2013 08:11, skrev Tollef Fog Heen:
]] Florian Weimer
* Tollef Fog Heen:
we've had a denial of service attack reported in Varnish. I believe
we should get this fixed in stable (we're working on a patch), but
I'd like a CVE # to go with the advisory. Draft advisory at
http://etherpad.wikimedia.org/p/WnwRT4FH6e
is this link already public? If not, what's your disclosure schedule?
Yes, see
https://www.varnish-cache.org/lists/pipermail/varnish-announce/2013-October/000686.html
for our advisory. Diff is
https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6?format=diff&new=4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6
||Fedora/EPEL's tracking bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1025127
For Fedora, I'll just wait for 3.0.5, I think. f18 and f19 have 3.0.3. I
recently commited 3.0.4 to rawhide, but I won't build packages for f18
and f19 now, if 3.0.5 is out in a few days.
epel5 has varnish-2.0.6. epel6 has 2.1.5.
I have produced a backport for 2.0.6 available here:
http://users.linpro.no/ingvar/varnish/varnish.fix_CVE-2013-4484.patch.txt .
I've added some changes for http_DissectRequest too (a check for
Duplicated Host headers), though I cant say for sure if these are
necessary. It compiles and runs tests/r01367.vtc fine without them.
Please review this. If it seems appropriate, I'll do one for
varnish-2.1.5 too.
Ingvar
_______________________________________________
varnish-dev mailing list
[email protected]
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
