Red Hat Bugzilla – Bug 1025127
CVE-2013-4484 varnish: denial of service handling certain GET requests
Last modified: 2015-07-31 03:11:54 EDT
Varnish Cache a high-performance HTTP accelerator. A denial of service flaw was found in the way Varnish Cache handled certain GET requests when using certain configurations. A remote attacker could use this flaw to crash a worker process.
Created varnish tracking bugs for this issue:
Affects: fedora-all [bug 1025128]
Affects: epel-all [bug 1025129]
I was not familiar enough with varnish to reproduce this issue, but the Fedora and EPEL packages are missing the commit from comment #0
For Fedora, I'll just wait for 3.0.5, I think. f18 and f19 have 3.0.3. 3.0.4 is commited (but not built) to rawhide.
I have produced a backport to varnish-2.0.6 (epel 5) of this, available here:
I'll try to get upstream to validate it.
If it goes through, I'll do one for epel 6 too.
For some reason, this bug is still open.
This was fixed in
As all depency bugs were closed long time ago, I close this one as well.