CVE number needed for Varnish DoS, also heads-up

Ingvar Hagelund ingvar at redpill-linpro.com
Tue Nov 5 13:20:06 CET 2013


Den 31. okt. 2013 08:11, skrev Tollef Fog Heen:
> ]] Florian Weimer
>> * Tollef Fog Heen:
>>> we've had a denial of service attack reported in Varnish. I believe 
>>> we should get this fixed in stable (we're working on a patch), but 
>>> I'd like a CVE # to go with the advisory. Draft advisory at 
>>> http://etherpad.wikimedia.org/p/WnwRT4FH6e 
>> is this link already public? If not, what's your disclosure schedule? 
> Yes, see 
> https://www.varnish-cache.org/lists/pipermail/varnish-announce/2013-October/000686.html 
> for our advisory. Diff is 
> https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6?format=diff&new=4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6 
>

||Fedora/EPEL's tracking bug is here: 
https://bugzilla.redhat.com/show_bug.cgi?id=1025127

For Fedora, I'll just wait for 3.0.5, I think. f18 and f19 have 3.0.3. I 
recently commited 3.0.4 to rawhide, but I won't build packages for f18 
and f19 now, if 3.0.5 is out in a few days.

epel5 has varnish-2.0.6. epel6 has 2.1.5.

I have produced a backport for 2.0.6 available here: 
http://users.linpro.no/ingvar/varnish/varnish.fix_CVE-2013-4484.patch.txt . 
I've added some changes for http_DissectRequest too (a check for 
Duplicated Host headers), though I cant say for sure if these are 
necessary. It compiles and runs tests/r01367.vtc fine without them.

Please review this. If it seems appropriate, I'll do one for 
varnish-2.1.5 too.

Ingvar




More information about the varnish-dev mailing list