full disclosure reports
Poul-Henning Kamp
phk at phk.freebsd.dk
Wed Mar 6 17:23:34 CET 2013
In message <E4AC4D6A-694C-4025-A914-9FA85DF83B43 at crucially.net>, Artur Bergman writes:
>> They contacted me up front, I told them we don't consider it a security
>> problem, because Varnish has to trust the backend being sensible.
>>
>> We'd be just as hosed if the backend started sending only 1TB objects.
>
>Thank you for that very pragmatic and mature view of the world.
I didn't say I don't consider those issues problems, I do, I just don't
consider them security problems.
I do realize that Fastly's usage of Varnish is different from pretty much
everybody else in the world, but that is a risk Fastly has chosen to take
and the consequences are theirs to bear.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the varnish-dev
mailing list