Bug 776685

Summary:	www-servers/varnish: Denial of service (VSV00006)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	blueness
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Sam James archtester

2021-03-16 15:15:13 UTC

VSV00006 varnish-modules Denial of Service
==========================================

Date: 2021-03-16

An assert or NULL pointer dereference can be triggered in Varnish
Cache through the ``header.append()`` and ``header.copy()`` functions
from the separate `varnish-modules` bundle, which, depending on
specifics of the Varnish Configuration Language (VCL) file used, might
allow for remote clients to cause Varnish to assert and restart.

A restart reduces overall availability and performance due to an
increased number of cache misses, and may cause higher load on backend
servers.

Note that the ``header`` vmod is *not* shipped with Varnish Cache, but
rather only available with the separate `varnish-modules`
package. The Varnish Cache team decided to release this advisory
because `varnish-modules` is a commonly used component with Varnish
Cache installations.

There is no potential for remote code execution or data leaks related
to this vulnerability.

Mitigation is possible through VCL, or by updating to a fixed version
of `varnish-modules`.

Comment 1 Sam James archtester

2021-03-16 15:15:44 UTC

Oh wait:

Note that the header vmod is not shipped with Varnish Cache, but rather only available with the separate varnish-modules package. The Varnish Cache team decided to release this advisory because varnish-modules is a commonly used component with Varnish Cache installations.