Summary: | <www-servers/varnish-3.0.7: Multiple vulnerabilties (CVE-2015-8852) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | blueness, hydrapolic, idl0r |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2015/q1/776 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-03-11 08:27:29 UTC
Strange, just tested with 4.0.3 on hardened amd64 and it didn't crash. CVE-2015-8852 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8852): Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request. (In reply to Tomáš Mózes from comment #1) > Strange, just tested with 4.0.3 on hardened amd64 and it didn't crash. Same test results for me and the relevant CVE does not address any 4.x branch. 3.0.7 is stable and no vulnerable versions are present. New GLSA Request filed. This bug contains two vulnerabilities in it. One is the original heap overflow reported by Ago and the other is the improper HTTP validation. They are related and have both been fixed. varnish 3.x has been EOL since 2015-03-23, so I punted it. See http://www.varnish-cache.org/releases/index.html (In reply to Anthony Basile from comment #5) > varnish 3.x has been EOL since 2015-03-23, so I punted it. See > > http://www.varnish-cache.org/releases/index.html Thanks, Anthony. GLSA is pending review. This issue was resolved and addressed in GLSA 201607-10 at https://security.gentoo.org/glsa/201607-10 by GLSA coordinator Aaron Bauman (b-man). |