Bug 45157

Summary: varnish: Denial of Service (4.2)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Philipp Hahn <hahn>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P4 Flags: requate: Patch_Available+
Version: UCS 4.2   
Target Milestone: UCS 4.2-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Description Arvid Requate univentionstaff 2017-08-07 17:33:30 CEST 
Upstream Debian package version 4.0.2-1+deb8u1 fixes:

A denial of service vulnerability was discovered in Varnish, a state of
the art, high-performance web accelerator. Specially crafted HTTP
requests can cause the Varnish daemon to assert and restart, clearing
the cache in the process (No CVE yet)
Comment 1 Arvid Requate univentionstaff 2017-08-07 17:53:32 CEST 
More detail:

* An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. The specific source-code filename containing the incorrect statement varies across releases. (CVE-2017-12425)
Comment 2 Philipp Hahn univentionstaff 2018-01-25 10:59:56 CET 
Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf
Comment 3 Quality Assurance univentionstaff 2018-05-04 16:57:56 CEST 
--- mirror/ftp/4.2/unmaintained/4.2-0/source/varnish_4.0.2-1.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/varnish_4.0.2-1+deb8u1.dsc
@@ -1,3 +1,10 @@
+4.0.2-1+deb8u1 [Mon, 31 Jul 2017 20:30:41 +0200] Salvatore Bonaccorso <carnil@debian.org>:
+
+  * Non-maintainer upload by the Security Team.
+  * Correctly handle bogusly large chunk sizes.
+    This fixes a denial of service attack vector where bogusly large chunk
+    sizes in requests could be used to force restarts of the Varnish server.
+
 4.0.2-1 [Tue, 14 Oct 2014 22:53:05 +0200] Stig Sandbeck Mathisen <ssm@debian.org>:
 
   * use /run instead of /var/run in sysv init scripts (Closes: #708975)
Comment 4 Arvid Requate univentionstaff 2018-05-08 11:40:26 CEST 
* No UCS specific patches
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok
Comment 5 Arvid Requate univentionstaff 2018-05-08 14:56:28 CEST 
<http://errata.software-univention.de/ucs/4.2/411.html>