Amazon Linux AMI Security Advisory: ALAS-2016-721
Advisory Release Date: 2016-07-14 16:30 Pacific
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request. (CVE-2015-8852 )
Run yum update varnish to update your system.