FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 10:37:19 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
d9dbe6e8-84da-11e3-98bd-080027f2d077	varnish -- DoS vulnerability in Varnish HTTP cache Varnish Cache Project reports: If Varnish receives a certain illegal request, and the subroutine 'vcl_error{}' restarts the request, the varnishd worker process will crash with an assert. The varnishd management process will restart the worker process, but there will be a brief interruption of service and the cache will be emptied, causing more traffic to go to the backend. We are releasing this advisory because restarting from vcl_error{} is both fairly common and documented. This is purely a denial of service vulnerability, there is no risk of privilege escalation. Workaround Insert this at the top of your VCL file: sub vcl_error { if (obj.status == 400 \|\| obj.status == 413) { return(deliver); } } Or add this test at the top of your existing vcl_error{}. Discovery 2013-10-30 Entry 2014-01-25 varnish < 3.0.5 CVE-2013-4484 https://www.varnish-cache.org/lists/pipermail/varnish-announce/2013-October/000686.html
bcee3989-d106-4f60-948f-835375634710	varnish -- Varnish HTTP Request Parsing Denial of Service SecurityFocus reports: Varnish is prone to a remote denial-of-service vulnerability because the application fails to handle certain HTTP requests. Successfully exploiting this issue allows remote attackers to crash the affected application denying further service to legitimate users. Discovery 2008-10-17 Entry 2009-02-14 Modified 2009-02-15 varnish < 2.0.1 33712 http://secunia.com/advisories/33852/ http://varnish.projects.linpro.no/wiki/WikiStart

VuXML ID

Description

d9dbe6e8-84da-11e3-98bd-080027f2d077

varnish -- DoS vulnerability in Varnish HTTP cache

Varnish Cache Project reports:

If Varnish receives a certain illegal request, and the subroutine 'vcl_error{}' restarts the request, the varnishd worker process will crash with an assert.

The varnishd management process will restart the worker process, but there will be a brief interruption of service and the cache will be emptied, causing more traffic to go to the backend.

We are releasing this advisory because restarting from vcl_error{} is both fairly common and documented.

This is purely a denial of service vulnerability, there is no risk of privilege escalation.

Workaround

Insert this at the top of your VCL file:
		sub vcl_error {
			if (obj.status == 400 || obj.status == 413) {
				return(deliver);
			}
		}

		Or add this test at the top of your existing vcl_error{}.
	  

Discovery 2013-10-30
Entry 2014-01-25
varnish

< 3.0.5

CVE-2013-4484
https://www.varnish-cache.org/lists/pipermail/varnish-announce/2013-October/000686.html

bcee3989-d106-4f60-948f-835375634710

varnish -- Varnish HTTP Request Parsing Denial of Service

SecurityFocus reports:

Varnish is prone to a remote denial-of-service vulnerability because the application fails to handle certain HTTP requests.

Successfully exploiting this issue allows remote attackers to crash the affected application denying further service to legitimate users.

Discovery 2008-10-17
Entry 2009-02-14
Modified 2009-02-15
varnish

< 2.0.1

33712
http://secunia.com/advisories/33852/
http://varnish.projects.linpro.no/wiki/WikiStart