CVE number needed for Varnish DoS, also heads-up
Ingvar Hagelund
ingvar at redpill-linpro.com
Tue Nov 5 13:20:06 CET 2013
Den 31. okt. 2013 08:11, skrev Tollef Fog Heen:
> ]] Florian Weimer
>> * Tollef Fog Heen:
>>> we've had a denial of service attack reported in Varnish. I believe
>>> we should get this fixed in stable (we're working on a patch), but
>>> I'd like a CVE # to go with the advisory. Draft advisory at
>>> http://etherpad.wikimedia.org/p/WnwRT4FH6e
>> is this link already public? If not, what's your disclosure schedule?
> Yes, see
> https://www.varnish-cache.org/lists/pipermail/varnish-announce/2013-October/000686.html
> for our advisory. Diff is
> https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6?format=diff&new=4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6
>
||Fedora/EPEL's tracking bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1025127
For Fedora, I'll just wait for 3.0.5, I think. f18 and f19 have 3.0.3. I
recently commited 3.0.4 to rawhide, but I won't build packages for f18
and f19 now, if 3.0.5 is out in a few days.
epel5 has varnish-2.0.6. epel6 has 2.1.5.
I have produced a backport for 2.0.6 available here:
http://users.linpro.no/ingvar/varnish/varnish.fix_CVE-2013-4484.patch.txt .
I've added some changes for http_DissectRequest too (a check for
Duplicated Host headers), though I cant say for sure if these are
necessary. It compiles and runs tests/r01367.vtc fine without them.
Please review this. If it seems appropriate, I'll do one for
varnish-2.1.5 too.
Ingvar
More information about the varnish-dev
mailing list