[arch-security] [ASA-201708-4] varnish: denial of service
rgacogne at archlinux.org
Thu Aug 10 21:19:38 UTC 2017
Arch Linux Security Advisory ASA-201708-4
Date : 2017-08-10
CVE-ID : CVE-2017-12425
Package : varnish
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-374
The package varnish before version 5.1.3-1 is vulnerable to denial of
Upgrade to 5.1.3-1.
# pacman -Syu "varnish>=5.1.3-1"
The problem has been fixed upstream in version 5.1.3.
A remote, non-authenticated denial of service has been found in varnish
< 5.1.3. A wrong if statement in the varnishd source code can trigger
an assert when processing invalid requests from the client. This causes
the varnishd worker process to abort and restart, losing the cached
contents in the process.
A remote attacker can crash a varnishd server by sending a crafted HTTP
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security