Arch Linux Security Advisory ASA-201708-4
========================================
Severity: High
Date    : 2017-08-10
CVE-ID  : CVE-2017-12425
Package : varnish
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-374

Summary
======
The package varnish before version 5.1.3-1 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 5.1.3-1.

# pacman -Syu "varnish>=5.1.3-1"

The problem has been fixed upstream in version 5.1.3.

Workaround
=========
None.

Description
==========
A remote, non-authenticated denial of service has been found in varnish
< 5.1.3. A wrong if statement in the varnishd source code can trigger
an assert when processing invalid requests from the client. This causes
the varnishd worker process to abort and restart, losing the cached
contents in the process.

Impact
=====
A remote attacker can crash a varnishd server by sending a crafted HTTP
request.

References
=========
https://varnish-cache.org/security/VSV00001.html#vsv00001
https://security.archlinux.org/CVE-2017-12425

ArchLinux: 201708-4: varnish: denial of service

August 10, 2017

Summary

A remote, non-authenticated denial of service has been found in varnish < 5.1.3. A wrong if statement in the varnishd source code can trigger an assert when processing invalid requests from the client. This causes the varnishd worker process to abort and restart, losing the cached contents in the process.

Resolution

Upgrade to 5.1.3-1. # pacman -Syu "varnish>=5.1.3-1"
The problem has been fixed upstream in version 5.1.3.

References

https://varnish-cache.org/security/VSV00001.html#vsv00001 https://security.archlinux.org/CVE-2017-12425

Severity
Package : varnish
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-374

Workaround

None.

Related News