Varnish CVE-2017-12425 / VSV00001 DoS vulnerability
A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert.
This causes the varnishd worker process to abort and restart, loosing the cached contents in the process.
An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack.
Package-Versions affected (Alpine Release):
- 4.1.2-r1 (v3.3)
- 4.1.2-r3 (v3.4)
- 4.1.3-r0 (v3.5)
- 4.1.3-r0 (v3.6)
- 5.1.2-r1 (edge, already flagged)
This might affect older releases, if they use Varnish 4.0.1 or later, but they are not listed in alpine package search.
Problem could be fixed by either upgrading to Varnish 4.1.8 / 5.1.3 or by applying the following one-line patch:
https://github.com/varnishcache/varnish-cache/commit/c37821ddd539a23845ae8e9a7a9cc958358c1541.patch
Details: https://varnish-cache.org/security/VSV00001.html
(from redmine: issue id 7631, created on 2017-08-06, closed on 2017-08-07)