ALAS-2016-721


Amazon Linux AMI Security Advisory: ALAS-2016-721
Advisory Release Date: 2016-07-14 16:30 Pacific
Severity: Important
References: CVE-2015-8852 

Issue Overview:

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request. (CVE-2015-8852 )


Affected Packages:

varnish


Issue Correction:
Run yum update varnish to update your system.

New Packages:
i686:
    varnish-debuginfo-3.0.7-1.20.amzn1.i686
    varnish-libs-3.0.7-1.20.amzn1.i686
    varnish-3.0.7-1.20.amzn1.i686
    varnish-libs-devel-3.0.7-1.20.amzn1.i686
    varnish-docs-3.0.7-1.20.amzn1.i686

src:
    varnish-3.0.7-1.20.amzn1.src

x86_64:
    varnish-libs-devel-3.0.7-1.20.amzn1.x86_64
    varnish-libs-3.0.7-1.20.amzn1.x86_64
    varnish-3.0.7-1.20.amzn1.x86_64
    varnish-docs-3.0.7-1.20.amzn1.x86_64
    varnish-debuginfo-3.0.7-1.20.amzn1.x86_64