Advisories » MGASA-2025-0239

Updated varnish & lighttpd packages fix security vulnerability

Publication date: 17 Oct 2025
Modification date: 17 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8671

Description

It was discovered that a denial of service attack can be performed on
cache servers that have the HTTP/2 protocol turned on. An attacker can
create a large number of streams and immediately reset them without ever
reaching the maximum number of concurrent streams allowed for the
session, causing the server to consume unnecessary resources processing
requests for which the response will not be delivered (CVE-2025-8671).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34587
• https://www.openwall.com/lists/oss-security/2025/08/13/6
• https://www.openwall.com/lists/oss-security/2025/08/16/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8671

SRPMS

9/core

• varnish-7.7.3-1.mga9
• lighttpd-1.4.80-1.3.mga9