848451 – (CVE-2013-4484) VUL-0: CVE-2013-4484: varnish denial of service

Bug 848451 (CVE-2013-4484) - VUL-0: CVE-2013-4484: varnish denial of service

Summary: VUL-0: CVE-2013-4484: varnish denial of service

Status:	RESOLVED FIXED

Alias:	CVE-2013-4484

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Jan Engelhardt
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-10-31 07:41 UTC by Marcus Meissner
Modified:	2015-02-18 23:35 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-10-31 07:41:01 UTC

CVE-2013-4484, via rh bugzilla

Varnish Cache a high-performance HTTP accelerator. A denial of service flaw was found in the way Varnish Cache handled certain GET requests when using certain configurations. A remote attacker could use this flaw to crash a worker process.

References:

https://www.varnish-cache.org/trac/ticket/1367
https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6
https://www.varnish-cache.org/trac/changeset/9c9a9904bdb56b62017f338baf9c8e906b88dcac
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4484
https://bugzilla.redhat.com/show_bug.cgi?id=1025127

Comment 1 Swamp Workflow Management 2013-10-31 23:00:22 UTC

bugbot adjusting priority

Comment 2 Jan Engelhardt 2013-11-07 02:12:33 UTC

openSUSE:Maintenance:2185 is waiting.

Comment 3 Marcus Meissner 2013-11-07 07:43:44 UTC

The review team was unhappy:

osc rq show 205737 

Request: #205737
Message:
auto release requested

State:   declined   2013-11-05T08:35:34 saschpe
Comment: varnish-disable-pcrejit.diff added to 12.2 not applied, missing from 12.3 but applied.

Review:  declined   Group: opensuse-review-team                        2013-11-04T18:32:02 saschpe               varnish-disable-pcrejit.diff added to 12.2 not applied, missing from 12.3 but applied.


What about it, should we apply it or remove it?

Comment 4 Jan Engelhardt 2013-11-07 08:02:16 UTC

The JIT needs to be disabled for varnish >= 3.0.3 (openSUSE 12.3, 13.1).

The JIT patch is not needed in varnish <= 3.0.2 as it won't even apply. (11.4/12.2). If it is in the srpm nevertheless, no big deal. Just a unused file then.

Comment 5 Benjamin Brunner 2013-11-15 09:46:55 UTC

Update released for openSUSE 12.2, 12.3 and 13.1. Resolved fixed.

Comment 6 Swamp Workflow Management 2013-11-15 10:04:22 UTC

openSUSE-SU-2013:1679-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 848451
CVE References: CVE-2013-4484
Sources used:
openSUSE 12.3 (src):    varnish-3.0.3-2.10.1
openSUSE 12.2 (src):    varnish-3.0.2-2.6.1

Comment 7 Swamp Workflow Management 2013-11-15 18:05:39 UTC

openSUSE-SU-2013:1683-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 839358,848451
CVE References: CVE-2013-4484
Sources used:
openSUSE 13.1 (src):    varnish-3.0.3-4.5.1