Varnish varnish-modules before 0.17.1 allows remote attackers to cause a denial of service (daemon restart) in some configurations. This does not affect organizations that only install the Varnish Cache product; however, it is common to install both Varnish Cache and varnish-modules. Specifically, an assertion failure or NULL pointer dereference can be triggered in Varnish Cache through the varnish-modules header.append() and header.copy() functions. For some Varnish Configuration Language (VCL) files, this gives remote clients an opportunity to cause a Varnish Cache restart. A restart reduces overall availability and performance due to an increased number of cache misses, and may cause higher load on backend servers. Reference: https://varnish-cache.org/security/VSV00006.html
Created varnish-modules tracking bugs for this issue: Affects: fedora-all [bug 1939671] Created varnish:6.0/varnish-modules tracking bugs for this issue: Affects: fedora-all [bug 1939672]
rawhide/f35 has been updated with varnish-modules-0.17.1 which includes a fix for this problem.
FEDORA-2021-2ad352ec70 security update for f34 has varnish-modules-0.17.1 which includes a fix for this problem. https://bodhi.fedoraproject.org/updates/FEDORA-2021-2ad352ec70
This is not a Fedora bug, please do not change its state.
FEDORA-2021-2ad352ec70 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
External References: https://varnish-cache.org/security/VSV00006.html
Upstream fix: https://github.com/varnish/varnish-modules/commit/2c120e576ebb73bc247790184702ba58dc0afc39
Mitigation: Refer to https://varnish-cache.org/security/VSV00006.html#mitigation.
Statement: The following products are not affected by this flaw, as they ship an older version of the `varnish-modules` package which did not include the vulnerable code in the `header` vmod: * Red Hat Enterprise Linux 8 * Red Hat Software Collections
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28543