Bug 45157 - varnish: Denial of Service (4.2)
varnish: Denial of Service (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P4 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-07 17:33 CEST by Arvid Requate
Modified: 2018-05-08 14:56 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-08-07 17:33:30 CEST
Upstream Debian package version 4.0.2-1+deb8u1 fixes:

A denial of service vulnerability was discovered in Varnish, a state of
the art, high-performance web accelerator. Specially crafted HTTP
requests can cause the Varnish daemon to assert and restart, clearing
the cache in the process (No CVE yet)
Comment 1 Arvid Requate univentionstaff 2017-08-07 17:53:32 CEST
More detail:

* An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. The specific source-code filename containing the incorrect statement varies across releases. (CVE-2017-12425)
Comment 2 Philipp Hahn univentionstaff 2018-01-25 10:59:56 CET
Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf
Comment 3 Quality Assurance univentionstaff 2018-05-04 16:57:56 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/varnish_4.0.2-1.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/varnish_4.0.2-1+deb8u1.dsc
@@ -1,3 +1,10 @@
+4.0.2-1+deb8u1 [Mon, 31 Jul 2017 20:30:41 +0200] Salvatore Bonaccorso <carnil@debian.org>:
+
+  * Non-maintainer upload by the Security Team.
+  * Correctly handle bogusly large chunk sizes.
+    This fixes a denial of service attack vector where bogusly large chunk
+    sizes in requests could be used to force restarts of the Varnish server.
+
 4.0.2-1 [Tue, 14 Oct 2014 22:53:05 +0200] Stig Sandbeck Mathisen <ssm@debian.org>:
 
   * use /run instead of /var/run in sysv init scripts (Closes: #708975)
Comment 4 Arvid Requate univentionstaff 2018-05-08 11:40:26 CEST
* No UCS specific patches
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok
Comment 5 Arvid Requate univentionstaff 2018-05-08 14:56:28 CEST
<http://errata.software-univention.de/ucs/4.2/411.html>