CVE number needed for Varnish DoS, also heads-up

Ingvar Hagelund ingvar at
Tue Nov 5 13:20:06 CET 2013

Den 31. okt. 2013 08:11, skrev Tollef Fog Heen:
> ]] Florian Weimer
>> * Tollef Fog Heen:
>>> we've had a denial of service attack reported in Varnish. I believe 
>>> we should get this fixed in stable (we're working on a patch), but 
>>> I'd like a CVE # to go with the advisory. Draft advisory at 
>> is this link already public? If not, what's your disclosure schedule? 
> Yes, see 
> for our advisory. Diff is 

||Fedora/EPEL's tracking bug is here:

For Fedora, I'll just wait for 3.0.5, I think. f18 and f19 have 3.0.3. I 
recently commited 3.0.4 to rawhide, but I won't build packages for f18 
and f19 now, if 3.0.5 is out in a few days.

epel5 has varnish-2.0.6. epel6 has 2.1.5.

I have produced a backport for 2.0.6 available here: . 
I've added some changes for http_DissectRequest too (a check for 
Duplicated Host headers), though I cant say for sure if these are 
necessary. It compiles and runs tests/r01367.vtc fine without them.

Please review this. If it seems appropriate, I'll do one for 
varnish-2.1.5 too.


More information about the varnish-dev mailing list