|Description||Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|varnish (PTS)||wheezy, wheezy (security)||3.0.2-2+deb7u2||fixed|
|jessie (security), jessie||4.0.2-1+deb8u1||fixed|
|stretch (security), stretch||5.0.0-7+deb9u2||fixed|
The information below is based on the following data on fixed versions.
fixed in 3.0.7 upstream, mark as fixed with first 4.x version in unstable
4.x not affected