From martin at varnish-software.com Tue Sep 3 10:12:56 2019 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Tue, 3 Sep 2019 12:12:56 +0200 Subject: VSV00003 - DoS attack vector Message-ID: VSV00003 DoS attack vector ========================== Date: 2019-09-03 An HTTP/1 parsing failure has been uncovered in Varnish Cache that will allow a remote attacker to trigger an assert in Varnish Cache by sending specially crafted HTTP/1 requests. The assert will cause Varnish to automatically restart with a clean cache, which makes it a Denial of Service attack. The problem was uncovered by internal testing at Varnish Software. It has to the best of our knowledge not been exploited. The following is required for a successful attack: * The attacker must be able to send multiple HTTP/1 requests processed on the same HTTP/1 keepalive connection. Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache. Versions affected ----------------- * 6.1.0 and forward * 6.0 LTS by Varnish Software up to and including 6.0.3 Versions not affected --------------------- * Versions prior to 6.1.0 contains parsing bugs that are requisites for successfully exploiting the issue, but these versions will not assert. This includes the end-of-lifed 4.1 LTS series. Fixed in -------- * 6.2.1 * 6.0.4 LTS by Varnish Software * GitHub Varnish Cache master branch at commit 406b583fe54634afd029e7a41e35b3cf9ccac28a Mitigation from VCL ------------------- See :ref:`VSV00003-mitigation` for information about mitigation through VCL. Thankyous and credits --------------------- Alf-Andr? Walla at Varnish Software for uncovering the problem. Nils Goroll at UPLEX for patch review and VCL mitigation. Varnish Software for handling this security incident. Regards, Martin Blix Grydeland -- *Martin Blix Grydeland* Senior Developer | Varnish Software -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at varnish-software.com Tue Sep 3 10:24:16 2019 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Tue, 3 Sep 2019 12:24:16 +0200 Subject: VSV00003 - DoS attack vector - Links corrected Message-ID: VSV00003 DoS attack vector ========================== https://varnish-cache.org/security/VSV00003.html Date: 2019-09-03 An HTTP/1 parsing failure has been uncovered in Varnish Cache that will allow a remote attacker to trigger an assert in Varnish Cache by sending specially crafted HTTP/1 requests. The assert will cause Varnish to automatically restart with a clean cache, which makes it a Denial of Service attack. The problem was uncovered by internal testing at Varnish Software. It has to the best of our knowledge not been exploited. The following is required for a successful attack: * The attacker must be able to send multiple HTTP/1 requests processed on the same HTTP/1 keepalive connection. Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache. Versions affected ----------------- * 6.1.0 and forward * 6.0 LTS by Varnish Software up to and including 6.0.3 Versions not affected --------------------- * Versions prior to 6.1.0 contains parsing bugs that are requisites for successfully exploiting the issue, but these versions will not assert. This includes the end-of-lifed 4.1 LTS series. Fixed in -------- * 6.2.1 * 6.0.4 LTS by Varnish Software * GitHub Varnish Cache master branch at commit 406b583fe54634afd029e7a41e35b3cf9ccac28a Mitigation from VCL ------------------- See https://varnish-cache.org/security/VSV00003-mitigation.html for information about mitigation through VCL. Thankyous and credits --------------------- Alf-Andr? Walla at Varnish Software for uncovering the problem. Nils Goroll at UPLEX for patch review and VCL mitigation. Varnish Software for handling this security incident. Regards, Martin Blix Grydeland -- Martin Blix Grydeland Senior Developer | Varnish Software AS From phk at phk.freebsd.dk Mon Sep 16 15:04:01 2019 From: phk at phk.freebsd.dk (Poul-Henning Kamp) Date: Mon, 16 Sep 2019 15:04:01 +0000 Subject: Varnish Cache Release 6.3.0 Announcement Message-ID: <99966.1568646241@critter.freebsd.dk> We have released our regular biannual "fresh" release: http://varnish-cache.org/releases/rel6.3.0.html Thanks to everybody in the project for their contribution, and special thanks to Hermunn & crew for release engineering. Next release will be on 2020-03-16. Poul-Henning -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk at FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.