Varnish Cache a high-performance HTTP accelerator. A denial of service flaw was found in the way Varnish Cache handled certain GET requests when using certain configurations. A remote attacker could use this flaw to crash a worker process.
3.0.5 released today, should have the fix.
(In reply to Chris Reffett from comment #1)
> 3.0.5 released today, should have the fix.
I added it to the tree and tested. Please rapid stabilize for amd64 and x86.
Arches, please test and mark stable:
Target Keywords : "amd64 x86"
Maintainer(s), please cleanup.
Security, please vote.
(In reply to Agostino Sarubbo from comment #5)
> x86 stable.
> Maintainer(s), please cleanup.
> Security, please vote.
Only 3.0.5 is in the tree.
Thanks for your work.
GLSA vote: yes
Varnish before 3.0.5 allows remote attackers to cause a denial of service
(child-process crash and temporary caching outage) via a GET request with
trailing whitespace characters and no URI.
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
GLSA Vote: Yes
This issue was resolved and addressed in
GLSA 201412-30 at http://security.gentoo.org/glsa/glsa-201412-30.xml
by GLSA coordinator Mikle Kolyada (Zlogene).