ASA-201708-4 generated external raw

[ASA-201708-4] varnish: denial of service
Arch Linux Security Advisory ASA-201708-4 ========================================= Severity: High Date : 2017-08-10 CVE-ID : CVE-2017-12425 Package : varnish Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-374 Summary ======= The package varnish before version 5.1.3-1 is vulnerable to denial of service. Resolution ========== Upgrade to 5.1.3-1. # pacman -Syu "varnish>=5.1.3-1" The problem has been fixed upstream in version 5.1.3. Workaround ========== None. Description =========== A remote, non-authenticated denial of service has been found in varnish < 5.1.3. A wrong if statement in the varnishd source code can trigger an assert when processing invalid requests from the client. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. Impact ====== A remote attacker can crash a varnishd server by sending a crafted HTTP request. References ========== https://varnish-cache.org/security/VSV00001.html#vsv00001 https://security.archlinux.org/CVE-2017-12425