489944 – (CVE-2013-4484) <www-servers/varnish-3.0.5: denial of service handling certain GET requests (CVE-2013-4484)

Bug 489944 (CVE-2013-4484) - <www-servers/varnish-3.0.5: denial of service handling certain GET requests (CVE-2013-4484)

Summary: <www-servers/varnish-3.0.5: denial of service handling certain GET requests (...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4484

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-10-31 09:24 UTC by Agostino Sarubbo
Modified:	2014-12-15 12:25 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-10-31 09:24:53 UTC

Varnish Cache a high-performance HTTP accelerator. A denial of service flaw was found in the way Varnish Cache handled certain GET requests when using certain configurations. A remote attacker could use this flaw to crash a worker process.

References:

https://www.varnish-cache.org/trac/ticket/1367
https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6
https://www.varnish-cache.org/trac/changeset/9c9a9904bdb56b62017f338baf9c8e906b88dcac

Comment 1 Chris Reffett (RETIRED) gentoo-dev

2013-12-03 00:54:19 UTC

3.0.5 released today, should have the fix.

Comment 2 Anthony Basile gentoo-dev

2013-12-03 14:31:41 UTC

(In reply to Chris Reffett from comment #1)
> 3.0.5 released today, should have the fix.

I added it to the tree and tested.  Please rapid stabilize for amd64 and x86.

Comment 3 Yury German Gentoo Infrastructure

2013-12-04 04:11:02 UTC

Arches, please test and mark stable:

=www-servers/varnish-3.0.5

Target Keywords : "amd64 x86"

Comment 4 Agostino Sarubbo gentoo-dev

2013-12-06 20:40:07 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2013-12-06 20:42:09 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 6 Anthony Basile gentoo-dev

2013-12-06 21:16:42 UTC

(In reply to Agostino Sarubbo from comment #5)
> x86 stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

Only 3.0.5 is in the tree.

Comment 7 Sergey Popov (RETIRED) gentoo-dev

2013-12-09 07:18:42 UTC

Thanks for your work.

GLSA vote: yes

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2013-12-09 08:46:21 UTC

CVE-2013-4484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4484):
  Varnish before 3.0.5 allows remote attackers to cause a denial of service
  (child-process crash and temporary caching outage) via a GET request with
  trailing whitespace characters and no URI.

Comment 9 Yury German Gentoo Infrastructure

2014-06-19 02:09:51 UTC

Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.

Comment 10 Yury German Gentoo Infrastructure

2014-06-19 02:10:04 UTC

GLSA Vote: Yes

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2014-12-15 12:25:50 UTC

This issue was resolved and addressed in
 GLSA 201412-30 at http://security.gentoo.org/glsa/glsa-201412-30.xml
by GLSA coordinator Mikle Kolyada (Zlogene).