Ubuntu
varnish package

Varnish DoS vulnerability

Bug #1708405 reported by Roman Plessl on 2017-08-03

This bug report is a duplicate of: Bug #1708354: [CVE] Correctly handle bogusly large chunk sizes. Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	varnish (Ubuntu)	New	Undecided	Unassigned

Bug Description

As described in

https://varnish-cache.org/security/VSV00001.html

varnish has a security issue for DoS which has been fixed.

A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert.

This causes the varnishd worker process to abort and restart, loosing the cached contents in the process.

An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack.

The bug has been fixed in Debian: https://www.debian.org/security/2017/dsa-3924

My Ubuntu Version is:

Description: Ubuntu 16.04.2 LTS
Release: 16.04

Package Version:

varnish:
  Installed: 4.1.1-1
  Candidate: 4.1.1-1
  Version table:
*** 4.1.1-1 500
        500 http://ch.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status

Seth Arnold (seth-arnold) on 2017-08-03

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1708354 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuvarnish package

Varnish DoS vulnerability

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
varnish package