[Bug 1708354] Re: VSV00001 DoS vulnerability
** Also affects: varnish (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: varnish (Ubuntu Zesty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: VSV00001 DoS vulnerability
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12425 ** Changed in: varnish (Ubuntu) Status: Incomplete => Opinion ** Changed in: varnish (Ubuntu) Status: Opinion => In Progress ** Description changed: https://varnish-cache.org/security/VSV1.html - CVE- + CVE-2017-12425 Date: 2017-08-02 A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert. This causes the varnishd worker process to abort and restart, loosing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache. Versions affected - 4.0.1 to 4.0.4 - 4.1.0 to 4.1.7 - 5.0.0 - 5.1.0 to 5.1.2 + 4.0.1 to 4.0.4 + 4.1.0 to 4.1.7 + 5.0.0 + 5.1.0 to 5.1.2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: VSV00001 DoS vulnerability
** Changed in: varnish (Ubuntu) Status: In Progress => Fix Released ** Changed in: varnish (Ubuntu Xenial) Status: New => In Progress ** Changed in: varnish (Ubuntu Zesty) Status: New => In Progress ** Changed in: varnish (Ubuntu Xenial) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: varnish (Ubuntu Zesty) Assignee: (unassigned) => Simon Quigley (tsimonq2) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: [CVE] Correctly handle bogusly large chunk sizes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: VSV00001 DoS vulnerability
Hello! The location of the upstream fix is not sufficient. A member of the community (hopefully yourself) will need to prepare and test Ubuntu security updates for this issue. Please review the UpdateProcedures wiki page linked to in comment #1. Thank you! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: VSV1 DoS vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: VSV00001 DoS vulnerability
The patch is here : https://github.com/varnishcache/varnish-cache/commit/138015a3a5251da2ce56389435fe046c4b7da135 Ref. https://github.com/varnishcache/varnish-cache/issues/2379 Best regards ** Bug watch added: github.com/varnishcache/varnish-cache/issues #2379 https://github.com/varnishcache/varnish-cache/issues/2379 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: VSV1 DoS vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1708354] Re: VSV00001 DoS vulnerability
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708354 Title: VSV1 DoS vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs