Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 489944 (CVE-2013-4484)

Summary: <www-servers/varnish-3.0.5: denial of service handling certain GET requests (CVE-2013-4484)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1025127
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-10-31 09:24:53 UTC
Varnish Cache a high-performance HTTP accelerator. A denial of service flaw was found in the way Varnish Cache handled certain GET requests when using certain configurations. A remote attacker could use this flaw to crash a worker process.

References:

https://www.varnish-cache.org/trac/ticket/1367
https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6
https://www.varnish-cache.org/trac/changeset/9c9a9904bdb56b62017f338baf9c8e906b88dcac
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-03 00:54:19 UTC
3.0.5 released today, should have the fix.
Comment 2 Anthony Basile gentoo-dev 2013-12-03 14:31:41 UTC
(In reply to Chris Reffett from comment #1)
> 3.0.5 released today, should have the fix.

I added it to the tree and tested.  Please rapid stabilize for amd64 and x86.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2013-12-04 04:11:02 UTC
Arches, please test and mark stable:

=www-servers/varnish-3.0.5

Target Keywords : "amd64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2013-12-06 20:40:07 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-12-06 20:42:09 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Anthony Basile gentoo-dev 2013-12-06 21:16:42 UTC
(In reply to Agostino Sarubbo from comment #5)
> x86 stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

Only 3.0.5 is in the tree.
Comment 7 Sergey Popov gentoo-dev 2013-12-09 07:18:42 UTC
Thanks for your work.

GLSA vote: yes
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-12-09 08:46:21 UTC
CVE-2013-4484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4484):
  Varnish before 3.0.5 allows remote attackers to cause a denial of service
  (child-process crash and temporary caching outage) via a GET request with
  trailing whitespace characters and no URI.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 02:09:51 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 02:10:04 UTC
GLSA Vote: Yes
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 12:25:50 UTC
This issue was resolved and addressed in
 GLSA 201412-30 at http://security.gentoo.org/glsa/glsa-201412-30.xml
by GLSA coordinator Mikle Kolyada (Zlogene).