Varnish 3.0.7 released.

Lasse Karstensen lkarsten at
Mon Mar 23 15:08:16 CET 2015

Dear Varnish community.

Varnish Cache 3.0.7 have just been released:

List of changes:

* Requests with multiple Content-Length headers will now fail.

* Stop recognizing a single CR (r) as a HTTP line separator. This opened
up a possible cache poisioning attack in stacked installations where
sslterminator/varnish/backend had different CR handling.

* Improved error detection on master-child process communication, leading
to faster recovery (child restart) if communication loses sync.

* Fix a corner-case where Content-Length was wrong for HTTP 1.0 clients,
when using gzip and streaming. Bug 1627.

* More robust handling of hop-by-hop headers.

* [packaging] Coherent Redhat pidfile in init script. Bug #1690.

* Avoid memory leak when adding bans.

All users are recommended to upgrade to Varnish 4.0, or this new
3.0.7 if you can't upgrade just yet.

Please note that ordinary support for Varnish Cache 3.0 ends in April

Binary packages will be uploaded to shortly.

Lasse Karstensen
Varnish Software AS

More information about the varnish-announce mailing list