[Pkg-varnish-devel] Bug#728989: Bug#728989: varnish: CVE-2013-4484
Stig Sandbeck Mathisen
ssm at debian.org
Thu Nov 7 19:31:46 UTC 2013
Salvatore Bonaccorso <carnil at debian.org> writes:
> Know you are already aware, opening bugreport to keep track of this
> issue.
Thanks.
> the following vulnerability was published for varnish.
>
> CVE-2013-4484[0]:
> | Varnish before 3.0.5 allows remote attackers to cause a denial of
> | service (child-process crash and temporary caching outage) via a GET
> | request with trailing whitespace characters and no URI.
Just to add some information about this issue:
Varnish is not vulnerable in its default configuration.
To be vulnerable, varnish must be configured with "return(restart)"
inside the "vcl_error" sub. Example:
sub vcl_error {
return(restart);
}
A workaround for people with matching configurations: Ensure that
vcl_error does "return(deliver)" for status codes 400 and 413, before
any "return(restart)". Example:
sub vcl_error {
if (obj.status == 400 || obj.status == 413) {
return(deliver);
}
}
--
Stig Sandbeck Mathisen <ssm at debian.org>
More information about the Pkg-varnish-devel
mailing list