full disclosure reports
Poul-Henning Kamp
phk at phk.freebsd.dk
Wed Mar 6 16:38:47 CET 2013
In message <513755AD.2010808 at schokola.de>, Nils Goroll writes:
>IIUC to exploit any of these one would need access to a backend or at least some
>way to make a backend produce certain response headers.
They contacted me up front, I told them we don't consider it a security
problem, because Varnish has to trust the backend being sensible.
We'd be just as hosed if the backend started sending only 1TB objects.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the varnish-dev
mailing list