Varnish Cache a high-performance HTTP accelerator. A denial of service flaw was found in the way Varnish Cache handled certain GET requests when using certain configurations. A remote attacker could use this flaw to crash a worker process. References: https://www.varnish-cache.org/trac/ticket/1367 https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6 https://www.varnish-cache.org/trac/changeset/9c9a9904bdb56b62017f338baf9c8e906b88dcac
Created varnish tracking bugs for this issue: Affects: fedora-all [bug 1025128] Affects: epel-all [bug 1025129]
I was not familiar enough with varnish to reproduce this issue, but the Fedora and EPEL packages are missing the commit from comment #0
For Fedora, I'll just wait for 3.0.5, I think. f18 and f19 have 3.0.3. 3.0.4 is commited (but not built) to rawhide. I have produced a backport to varnish-2.0.6 (epel 5) of this, available here: http://users.linpro.no/ingvar/varnish/varnish.fix_CVE-2013-4484.patch.txt I'll try to get upstream to validate it. If it goes through, I'll do one for epel 6 too. Ingvar
For some reason, this bug is still open. This was fixed in varnish-2.0.6-4.el5 varnish-2.1.5-5.el6 varnish-3.0.5-1.fc18 varnish-3.0.5-1.fc19 As all depency bugs were closed long time ago, I close this one as well. Ingvar