group.of.nepali.translators team mailing list archive

[Launchpad Bug Tracker <1708354@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package varnish - 5.0.0-7ubuntu0.1

---------------
varnish (5.0.0-7ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Correctly handle bogusly large chunk sizes (LP: #1708354)
    - 5.0-Correctly-handle-bogusly-large-chunk-sizes.patch
    - CVE-2017-12425

 -- Simon Quigley <tsimonq2@xxxxxxxxxx>  Mon, 07 Aug 2017 12:57:31 -0500

** Changed in: varnish (Ubuntu Zesty)
       Status: Fix Committed => Fix Released

** Changed in: varnish (Ubuntu Xenial)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1708354

Title:
  [CVE] Correctly handle bogusly large chunk sizes

Status in varnish package in Ubuntu:
  Fix Released
Status in varnish source package in Xenial:
  Fix Released
Status in varnish source package in Zesty:
  Fix Released

Bug description:
  https://varnish-cache.org/security/VSV00001.html

  CVE-2017-12425

  Date: 2017-08-02

  A wrong if statement in the varnishd source code means that particular
  invalid requests from the client can trigger an assert.

  This causes the varnishd worker process to abort and restart, loosing
  the cached contents in the process.

  An attacker can therefore crash the varnishd worker process on demand
  and effectively keep it from serving content - a Denial-of-Service
  attack.

  Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.
  Versions affected

      4.0.1 to 4.0.4
      4.1.0 to 4.1.7
      5.0.0
      5.1.0 to 5.1.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1708354/+subscriptions