VSV00006 varnish-modules Denial of Service ========================================== Date: 2021-03-16 An assert or NULL pointer dereference can be triggered in Varnish Cache through the ``header.append()`` and ``header.copy()`` functions from the separate `varnish-modules` bundle, which, depending on specifics of the Varnish Configuration Language (VCL) file used, might allow for remote clients to cause Varnish to assert and restart. A restart reduces overall availability and performance due to an increased number of cache misses, and may cause higher load on backend servers. Note that the ``header`` vmod is *not* shipped with Varnish Cache, but rather only available with the separate `varnish-modules` package. The Varnish Cache team decided to release this advisory because `varnish-modules` is a commonly used component with Varnish Cache installations. There is no potential for remote code execution or data leaks related to this vulnerability. Mitigation is possible through VCL, or by updating to a fixed version of `varnish-modules`.
Oh wait: Note that the header vmod is not shipped with Varnish Cache, but rather only available with the separate varnish-modules package. The Varnish Cache team decided to release this advisory because varnish-modules is a commonly used component with Varnish Cache installations.
