VSV00001 – DoS vulnerability in Varnish Cache

The following information has been provided by the varnish-announce mailing list.

VSV00001 DoS vulnerability
==========================

CVE-<to be assigned, we couldn’t get one under embargo>

Date:   2017-08-02

A wrong if statement in the varnishd source code means that
particular invalid requests from the client can trigger an assert.

This causes the varnishd worker process to abort and restart, loosing
the cached contents in the process.

An attacker can therefore crash the varnishd worker process on
demand and effectively keep it from serving content – a Denial-of-Service
attack.

Continue reading “VSV00001 – DoS vulnerability in Varnish Cache”

Varnish Cache 4.1.7 released

The following information has been provided by the varnish-announce mailing list.

Dear Varnish community

We have now made available version 4.1.7, and it can be found here:

https://repo.varnish-cache.org/source/varnish-4.1.7.tar.gz

Packages will be made available in the official repositories today.

The long standing issue 1746 (see
https://github.com/varnishcache/varnish-cache/issues/1764) has been
fixed in the 4.1 branch, and this fix will change how Varnish behaves in
certain circumstances.

Before 4.1.7-beta1, the nuke_limit parameter was ignored, so a varnish
instance could nuke any number of objects to make room for a new big
object. From 4.1.7-beta1, only a limited number of object will be
nuked before Varnish gives up and decides there is no room for the new
object.

The default nuke_limit is 10, and this number is high enough to not
affect most users. However, if you want to make sure that the
behavior is not changed when upgrading, you should set the value much
higher.