Mageia alert MGASA-2025-0239 (varnish & lighttpd)

From:
               Mageia Updates <updates-announce@ml.mageia.org>
To:
               updates-announce@ml.mageia.org
Subject:
               [updates-announce] MGASA-2025-0239: Updated varnish & lighttpd packages fix security vulnerability
Date:
               Fri, 17 Oct 2025 03:41:37 +0200
Message-ID:
               <20251017014137.807299FBD1@duvel.mageia.org>
Archive-link:
               Article
MGASA-2025-0239 - Updated varnish & lighttpd packages fix security vulnerability

Publication date: 17 Oct 2025
URL: https://advisories.mageia.org/MGASA-2025-0239.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2025-8671

Description:
It was discovered that a denial of service attack can be performed on
cache servers that have the HTTP/2 protocol turned on. An attacker can
create a large number of streams and immediately reset them without ever
reaching the maximum number of concurrent streams allowed for the
session, causing the server to consume unnecessary resources processing
requests for which the response will not be delivered (CVE-2025-8671).

References:
- https://bugs.mageia.org/show_bug.cgi?id=34587
- https://www.openwall.com/lists/oss-security/2025/08/13/6
- https://www.openwall.com/lists/oss-security/2025/08/16/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8671

SRPMS:
- 9/core/varnish-7.7.3-1.mga9
- 9/core/lighttpd-1.4.80-1.3.mga9

From:		Mageia Updates <updates-announce@ml.mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2025-0239: Updated varnish & lighttpd packages fix security vulnerability
Date:		Fri, 17 Oct 2025 03:41:37 +0200
Message-ID:		<20251017014137.807299FBD1@duvel.mageia.org>
Archive-link:		Article