Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

varnish: CVE-2017-12425: Bogusly large chunk sizes may cause assert

Related Vulnerabilities: CVE-2017-12425  

Source

Debian Bug report logs - #870467
varnish: CVE-2017-12425: Bogusly large chunk sizes may cause assert

version graph

Package: src:varnish; Maintainer for src:varnish is Varnish Package Maintainers <team+varnish-team@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 2 Aug 2017 10:21:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version varnish/4.0.1-1

Fixed in versions varnish/4.0.2-1+deb8u1, varnish/5.0.0-7+deb9u1, varnish/5.0.0-7.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/varnishcache/varnish-cache/issues/2379

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#870467; Package src:varnish. (Wed, 02 Aug 2017 10:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Wed, 02 Aug 2017 10:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: varnish: DoS vulnerability
Date: Wed, 02 Aug 2017 12:18:27 +0200
Source: varnish
Version: 4.0.1-1
Severity: grave
Tags: security upstream patch

Hi

See https://www.varnish-cache.org/security/VSV00001.html#vsv00001 for
details.

I did prepare already updates for jessie- and stretch-security and
will try to release the updates shortly.

Regards,
Salvatore

Changed Bug title to 'varnish: Bogusly large chunk sizes may cause assert' from 'varnish: DoS vulnerability'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 02 Aug 2017 10:24:05 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/varnishcache/varnish-cache/issues/2379'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 02 Aug 2017 10:24:05 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 02 Aug 2017 10:33:03 GMT) (full text, mbox, link).

Marked as fixed in versions varnish/4.0.2-1+deb8u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 02 Aug 2017 12:00:03 GMT) (full text, mbox, link).

Marked as fixed in versions varnish/5.0.0-7+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 02 Aug 2017 12:00:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#870467; Package src:varnish. (Fri, 04 Aug 2017 04:51:08 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Fri, 04 Aug 2017 04:51:08 GMT) (full text, mbox, link).

Message #20 received at 870467@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 870467@bugs.debian.org
Subject: varnish: diff for NMU version 5.0.0-7.1
Date: Fri, 4 Aug 2017 06:48:04 +0200
[Message part 1 (text/plain, inline)]
Control: tags 870467 + pending

Dear maintainer,

I've prepared an NMU for varnish (versioned as 5.0.0-7.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[varnish-5.0.0-7.1-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 870467-submit@bugs.debian.org. (Fri, 04 Aug 2017 04:51:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#870467; Package src:varnish. (Fri, 04 Aug 2017 08:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Fri, 04 Aug 2017 08:54:03 GMT) (full text, mbox, link).

Message #27 received at 870467@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 870467@bugs.debian.org
Subject: Re: Bug#870467: varnish: DoS vulnerability
Date: Fri, 4 Aug 2017 10:50:32 +0200
Control: retitle -1 varnish: CVE-2017-12425: Bogusly large chunk sizes may cause assert


CVE-2017-12425 has been assigned for this issue.

Regards,
Salvatore

Changed Bug title to 'varnish: CVE-2017-12425: Bogusly large chunk sizes may cause assert' from 'varnish: Bogusly large chunk sizes may cause assert'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 870467-submit@bugs.debian.org. (Fri, 04 Aug 2017 08:54:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#870467; Package src:varnish. (Fri, 04 Aug 2017 09:09:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Fri, 04 Aug 2017 09:09:06 GMT) (full text, mbox, link).

Message #34 received at 870467@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 870467@bugs.debian.org
Subject: varnish: diff for NMU version 5.0.0-7.1
Date: Fri, 4 Aug 2017 11:05:53 +0200
[Message part 1 (text/plain, inline)]
Dear maintainer,

I've prepared an NMU for varnish (versioned as 5.0.0-7.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

This is a new NMU diff, which includeds the CVE reference.

Regards,
Salvatore

[varnish-5.0.0-7.1-nmu.diff (text/x-diff, attachment)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 06 Aug 2017 09:36:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 06 Aug 2017 09:36:04 GMT) (full text, mbox, link).

Message #39 received at 870467-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 870467-close@bugs.debian.org
Subject: Bug#870467: fixed in varnish 5.0.0-7.1
Date: Sun, 06 Aug 2017 09:33:50 +0000
Source: varnish
Source-Version: 5.0.0-7.1

We believe that the bug you reported is fixed in the latest version of
varnish, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 870467@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated varnish package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 04 Aug 2017 10:55:36 +0200
Source: varnish
Binary: varnish varnish-doc libvarnishapi1 libvarnishapi-dev
Architecture: source
Version: 5.0.0-7.1
Distribution: unstable
Urgency: high
Maintainer: Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 870467
Description: 
 libvarnishapi-dev - development files for Varnish
 libvarnishapi1 - shared libraries for Varnish
 varnish    - state of the art, high-performance web accelerator
 varnish-doc - documentation for Varnish Cache
Changes:
 varnish (5.0.0-7.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2017-12425: Correctly handle bogusly large chunk sizes.
     This fixes a denial of service attack vector where bogusly large chunk
     sizes in requests could be used to force restarts of the Varnish server.
     (Closes: #870467)
Checksums-Sha1: 
 703c9541790df6d6ae8f4c937bb14b758f863842 2639 varnish_5.0.0-7.1.dsc
 4fb4fcc865cfbdfebba789ce8f12f4e13d05374f 21740 varnish_5.0.0-7.1.debian.tar.xz
Checksums-Sha256: 
 191f0311aff42e901d36ffd96afa1adbc1fafdc42b5442aca022eed7e3154c51 2639 varnish_5.0.0-7.1.dsc
 4be90295a6a18b8798c545c6ddc20c2030e409a16bfa54e5515a184153d32e6a 21740 varnish_5.0.0-7.1.debian.tar.xz
Files: 
 328244462757848ecc1015fbe90a8752 2639 web optional varnish_5.0.0-7.1.dsc
 78faded102b7e1e3b7237928dae9ed3f 21740 web optional varnish_5.0.0-7.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmEOARfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EEKYP/1CAlsf4I2pRo0eBlz9TM2JADPOI0Nq5
/+bIMPlva1aX55ZbaMNZrOcE198rLCE31At/blbwKtPGR383UHieSJsvZJQl+jqC
8OD3LUdo/d/Eluo01iDFx3CpqyIC0fMY5fbTK4n84ArGD9ELBwG/8+wyj8jN0xac
g98uJeuW0O4uLzLb0bY0wSm40lRdLdKiPvjLAPMGfFmFIMq1BrBtZfjywn0AX8mI
QPQbCFXcDNtQob44lBqVZXkoIlq6OgjqKDiL32K+dnTxHjxyap1rQneNWQ3AUk5W
5OWUJVxqMi8nk5YY86Sh9GlL/tbNZiW8EluUspvCS49xDRZ5rsxrbc6zDsthKy37
JAUa0SU05dmuBJAmKApxJhedNa1WBAIxwEEdCvTzDIlsy2edil5MLmYpH7hLMSpE
OOfgaqmi4osBKMWhbsICH83XVeMonZ9u9y13ECUQiFrKKETXFPVCj9kiGeYITnpA
Prgv764QmqwDeP/oU2RZ3OHollY4qDXiJZp4TE1Z/ecrhhHVYo+il9GBAR3ldZRo
sjW2/aZaJLFLM1QZyOQ6AKXPTdZNRZM10SRMzBxuMvEHo1UnnuH8iEHC9Ax1ixAa
BtxGm2Ru4ZVNic0Y/x2Fzh05D7mvPrYuMWiDMcyPulKw4BBWMMyx8OjGDyEhhEzZ
dIMVvPfbveyN
=ug/j
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Oct 2017 07:31:16 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:58:33 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started