ArchLinux: 201708-4: varnish: denial of service
Summary
A remote, non-authenticated denial of service has been found in varnish < 5.1.3. A wrong if statement in the varnishd source code can trigger an assert when processing invalid requests from the client. This causes the varnishd worker process to abort and restart, losing the cached contents in the process.
Resolution
Upgrade to 5.1.3-1.
# pacman -Syu "varnish>=5.1.3-1"
The problem has been fixed upstream in version 5.1.3.
References
https://varnish-cache.org/security/VSV00001.html#vsv00001 https://security.archlinux.org/CVE-2017-12425
Workaround
None.