Amazon Linux 1 Security Advisory: ALAS-2016-721
Advisory Release Date: 2016-07-14 16:30 Pacific
Advisory Updated Date: 2016-07-14 16:30 Pacific
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request. (CVE-2015-8852)
Affected Packages:
varnish
Issue Correction:
Run yum update varnish to update your system.
i686:
varnish-debuginfo-3.0.7-1.20.amzn1.i686
varnish-libs-3.0.7-1.20.amzn1.i686
varnish-3.0.7-1.20.amzn1.i686
varnish-libs-devel-3.0.7-1.20.amzn1.i686
varnish-docs-3.0.7-1.20.amzn1.i686
src:
varnish-3.0.7-1.20.amzn1.src
x86_64:
varnish-libs-devel-3.0.7-1.20.amzn1.x86_64
varnish-libs-3.0.7-1.20.amzn1.x86_64
varnish-3.0.7-1.20.amzn1.x86_64
varnish-docs-3.0.7-1.20.amzn1.x86_64
varnish-debuginfo-3.0.7-1.20.amzn1.x86_64