Almost but not quite a security advisory
Poul-Henning Kamp
phk at phk.freebsd.dk
Sat Apr 28 09:50:46 CEST 2012
Hi Varnish users,
This is a pretty special corner case, way outside what we promise
Varnish will do, so I have decided it does not qualify for a
security-advisory, however, the announce list is my only way to
communicate with the very few people this issue applies to:
If
You run varnishd as root
and
You use privilege separation
and
You accept VCL programs from untrusted sources
and
You allow the VCL programs to contain inline-C or unverified VMODs.
Then please check the 2012-04-28 entry on:
https://www.varnish-cache.org/trac/wiki/TroubleLog
Thanks in advance,
Poul-Henning
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the varnish-announce
mailing list