Candidate: CVE-2019-15892
PublicDate: 2019-09-03 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15892
 https://varnish-cache.org/security/VSV00003.html
 https://github.com/varnishcache/varnish-cache/commit/1cb778f6f69737109e8c070a74b8e95b78f46d13
 https://github.com/varnishcache/varnish-cache/commit/0f0e51e9871ed1bd1236378f8b0dea0d33df4e9e
 https://github.com/varnishcache/varnish-cache/commit/72df38fa8bfc0f5ca4a75d3e32657e8e590d85ab
 https://github.com/varnishcache/varnish-cache/commit/dd47e658a0de9d12c433a4a01fb43ea4fe4d3a41
 https://github.com/varnishcache/varnish-cache/commit/34717183beda3803e3d54c9826a1a9f026ca2505
 https://github.com/varnishcache/varnish-cache/commit/ec3997a59a93cbc13a3cba22dfe0b4c4710a8f65
 https://github.com/varnishcache/varnish-cache/commit/af13de03eaa3d04f60ada52ed3235d545b8d3973
 https://github.com/varnishcache/varnish-cache/commit/6da64a47beff44ecdb45c82b033811f2d19819af
 https://seclists.org/bugtraq/2019/Sep/5
 https://www.debian.org/security/2019/dsa-4514
Description:
 An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and
 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to
 trigger an assert by sending crafted HTTP/1 requests. The assert will cause
 an automatic restart with a clean cache, which makes it a Denial of Service
 attack.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939333
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_varnish:
upstream_varnish: released (6.2.1-1)
precise/esm_varnish: DNE
trusty_varnish: ignored (out of standard support)
trusty/esm_varnish: not-affected (code not present)
xenial_varnish: not-affected (code not present)
bionic_varnish: not-affected (code not present)
disco_varnish: ignored (reached end-of-life)
eoan_varnish: ignored (reached end-of-life)
focal_varnish: not-affected (6.2.1-2)
devel_varnish: not-affected (6.2.1-2)