2017-08-03 06:26:26 |
Poil |
bug |
|
|
added bug |
2017-08-03 19:30:29 |
Seth Arnold |
varnish (Ubuntu): status |
New |
Incomplete |
|
2017-08-03 23:44:43 |
Tyler Hicks |
information type |
Private Security |
Public Security |
|
2017-08-04 05:28:13 |
Poil |
bug watch added |
|
https://github.com/varnishcache/varnish-cache/issues/2379 |
|
2017-08-07 17:46:11 |
Simon Quigley |
cve linked |
|
2017-12425 |
|
2017-08-07 17:46:19 |
Simon Quigley |
varnish (Ubuntu): status |
Incomplete |
Opinion |
|
2017-08-07 17:46:25 |
Simon Quigley |
varnish (Ubuntu): status |
Opinion |
In Progress |
|
2017-08-07 17:46:55 |
Simon Quigley |
description |
https://varnish-cache.org/security/VSV00001.html
CVE-<to be assigned, we couldn’t get one under embargo>
Date: 2017-08-02
A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert.
This causes the varnishd worker process to abort and restart, loosing the cached contents in the process.
An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack.
Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.
Versions affected
4.0.1 to 4.0.4
4.1.0 to 4.1.7
5.0.0
5.1.0 to 5.1.2 |
https://varnish-cache.org/security/VSV00001.html
CVE-2017-12425
Date: 2017-08-02
A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert.
This causes the varnishd worker process to abort and restart, loosing the cached contents in the process.
An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack.
Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.
Versions affected
4.0.1 to 4.0.4
4.1.0 to 4.1.7
5.0.0
5.1.0 to 5.1.2 |
|
2017-08-07 17:51:53 |
Tyler Hicks |
nominated for series |
|
Ubuntu Xenial |
|
2017-08-07 17:51:53 |
Tyler Hicks |
bug task added |
|
varnish (Ubuntu Xenial) |
|
2017-08-07 17:51:53 |
Tyler Hicks |
nominated for series |
|
Ubuntu Zesty |
|
2017-08-07 17:51:53 |
Tyler Hicks |
bug task added |
|
varnish (Ubuntu Zesty) |
|
2017-08-07 17:53:15 |
Simon Quigley |
varnish (Ubuntu): status |
In Progress |
Fix Released |
|
2017-08-07 17:53:17 |
Simon Quigley |
varnish (Ubuntu Xenial): status |
New |
In Progress |
|
2017-08-07 17:53:18 |
Simon Quigley |
varnish (Ubuntu Zesty): status |
New |
In Progress |
|
2017-08-07 17:53:20 |
Simon Quigley |
varnish (Ubuntu Xenial): assignee |
|
Simon Quigley (tsimonq2) |
|
2017-08-07 17:53:22 |
Simon Quigley |
varnish (Ubuntu Zesty): assignee |
|
Simon Quigley (tsimonq2) |
|
2017-08-07 18:00:10 |
Simon Quigley |
summary |
VSV00001 DoS vulnerability |
[CVE] Correctly handle bogusly large chunk sizes |
|
2017-08-07 18:05:07 |
Simon Quigley |
attachment added |
|
1-5.0.0-7ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+attachment/4928480/+files/1-5.0.0-7ubuntu0.1.debdiff |
|
2017-08-07 18:34:30 |
Simon Quigley |
attachment added |
|
1-4.1.1-1ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+attachment/4928514/+files/1-4.1.1-1ubuntu0.1.debdiff |
|
2017-08-11 11:55:22 |
Marc Deslauriers |
bug watch added |
|
https://github.com/varnishcache/varnish-cache/issues/1875 |
|
2017-08-12 02:36:12 |
Simon Quigley |
attachment added |
|
2-4.1.1-1ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+attachment/4930992/+files/2-4.1.1-1ubuntu0.1.debdiff |
|
2017-08-12 02:36:20 |
Simon Quigley |
bug |
|
|
added subscriber Simon Quigley |
2017-08-12 03:02:16 |
Simon Quigley |
attachment added |
|
3-4.1.1-1ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+attachment/4931002/+files/3-4.1.1-1ubuntu0.1.debdiff |
|
2017-08-12 03:17:15 |
Steve Beattie |
varnish (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2017-08-12 03:17:17 |
Steve Beattie |
varnish (Ubuntu Zesty): importance |
Undecided |
Medium |
|
2017-08-14 13:45:54 |
Pete Lawrence |
bug |
|
|
added subscriber Pete Lawrence |
2017-08-22 03:28:30 |
Simon Quigley |
varnish (Ubuntu Zesty): status |
In Progress |
Fix Committed |
|
2017-08-22 11:09:02 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2017-08-22 12:33:37 |
Launchpad Janitor |
varnish (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-08-22 12:33:40 |
Launchpad Janitor |
varnish (Ubuntu Xenial): status |
In Progress |
Fix Released |
|