Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Apr 2016 08:05:30 +0000 (UTC)
From: Sébastien Delafond <>
Subject: Re: CVE request: Varnish 3 before 3.0.7 was vulnerable to HTTP
 Smuggling issues: Double Content Length and bad EOL

On 2016-04-16, Régis Leroy wrote:
> Varnish 4.x serie is not impacted. Flaws Fixed in version 3.0.7 in march 2015.
> Changelog is:
>  * Requests with multiple Content-Length headers will now fail.
>  * Stop recognizing a single CR (r) as a HTTP line separator. This
> opened up a possible cache poisoning attack in stacked installations
> where sslterminator/varnish/backend had different CR handling.
> Combinations of theses two flaws in HTTP protocol handling allows for
> "HTTP Response Splitting" attacks
> when another actor in front of Varnish3 can transmit headers in this
> form (for example):
>     Dummy: header\rContent-Length: 0\r\n
> This is a one year old issue, on the old last release of this serie.
> But we still find some installations. A CVE would maybe help removal
> of 3.x installations, or at least upgrades to 3.0.7.

Hi Mitre,

the Debian Security team considers the issue serious enough to release
a DSA, so we'd also appreciate if this could be assigned a CVE.



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ