Summary: | <www-servers/varnish-3.0.5: denial of service handling certain GET requests (CVE-2013-4484) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1025127 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-10-31 09:24:53 UTC
3.0.5 released today, should have the fix. (In reply to Chris Reffett from comment #1) > 3.0.5 released today, should have the fix. I added it to the tree and tested. Please rapid stabilize for amd64 and x86. Arches, please test and mark stable: =www-servers/varnish-3.0.5 Target Keywords : "amd64 x86" amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Agostino Sarubbo from comment #5) > x86 stable. > > Maintainer(s), please cleanup. > Security, please vote. Only 3.0.5 is in the tree. Thanks for your work. GLSA vote: yes CVE-2013-4484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4484): Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI. Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. GLSA Vote: Yes This issue was resolved and addressed in GLSA 201412-30 at http://security.gentoo.org/glsa/glsa-201412-30.xml by GLSA coordinator Mikle Kolyada (Zlogene). |