Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626872 (CVE-2017-12425) - <www-servers/varnish-{4.0.5,4.1.8}: DoS vulnerability
Summary: <www-servers/varnish-{4.0.5,4.1.8}: DoS vulnerability
Status: RESOLVED FIXED
Alias: CVE-2017-12425
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://varnish-cache.org/security/VS...
Whiteboard: B3 [noglsa cve]
Keywords:
: 625100 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-08-02 12:36 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-09-25 00:37 UTC (History)
3 users (show)

See Also:
Package list:
www-servers/varnish-4.0.5 amd64 x86 www-servers/varnish-4.1.8 amd64 x86 www-servers/varnish-5.1.3 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-02 12:36:06 UTC 
A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert.

This causes the varnishd worker process to abort and restart, loosing the cached contents in the process.

An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack.

Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.


Versions affected

    4.0.1 to 4.0.4
    4.1.0 to 4.1.7
    5.0.0
    5.1.0 to 5.1.2


Versions not affected

    All releases up to and including 4.0.0

Fixed in

    4.0.5 and forward
    4.1.8 and forward
    5.1.3 and forward
Comment 1 Anthony Basile gentoo-dev 2017-08-02 15:03:32 UTC 
I've put the latest fixed versions on the tree and removed all the vulnerable unstable versions.  However, there are still vulnerable stable versions so we need to rapid stabilize the following so I can all vulnerable versions:

=www-servers/varnish-4.0.5
=www-servers/varnish-4.1.8
=www-servers/varnish-5.1.3

KEYWORDS="amd64 x86"
Comment 2 Anthony Basile gentoo-dev 2017-08-05 08:19:59 UTC 
*** Bug 625100 has been marked as a duplicate of this bug. ***
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-25 00:54:03 UTC 
amd64 tested, no issues arise with multiple combinations of USE flags on three versions
Comment 4 Anthony Basile gentoo-dev 2017-08-25 08:32:45 UTC 
(In reply to Christopher Díaz from comment #3)
> amd64 tested, no issues arise with multiple combinations of USE flags on
> three versions

@arch teams.  ping!
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2017-08-25 21:57:11 UTC 
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-29 20:44:13 UTC 
x86 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 21:10:02 UTC 
@maintainers, please clean.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2017-09-24 23:09:28 UTC 
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 9 Anthony Basile gentoo-dev 2017-09-25 00:36:32 UTC 
(In reply to Yury German from comment #8)
> GLSA Vote: No
> 
> Maintainer(s), please drop the vulnerable version(s).

done
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2017-09-25 00:37:24 UTC 
Maintainer(s), Thank you for your work.