Bugzilla – Bug 1051917
VUL-0: varnish: DoS through reachable assert
Last modified: 2020-04-28 13:17:50 UTC
https://www.varnish-cache.org/security/VSV00001.html#vsv00001 A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert. This causes the varnishd worker process to abort and restart, loosing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. Changelog roulette, please reassign to the security team if you don't want to take it. References: http://www.debian.org/security/2017/dsa-3924 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870467
42.3 is out of maintenance; 15.0/15.1 has varnish 6.x where it is fixed.
Closing