oss-sec mailing list archives

Re: Varnish - no CVE == bug regression

From: Stefan Bühler <stbuehler () lighttpd net>
Date: Thu, 3 Jul 2014 22:27:15 +0200

Hi,

On Thu, 3 Jul 2014 21:07:39 +0100
Marek Kroemeke <kroemeke () gmail com> wrote:

I doubt that CDNs like Akamai, Fastly(varnish?), Cloudflare(nginx?)
etc.. would agree that the fact that a core part of their
infrastructure could be DoSed by one of their users is not a security
vulnerability, but I'm happy to be in minority regarding this view.


As long as varnish has no high priority to protect itself against
malicious backends I'd say it is not suited to be a frontend proxy in a
CDN network (you could use a seperate varnish instance for each
application/"trust group" though).

Different implementations have different priorities; choose one that
matches your requirements.

regards,
Stefan

Current thread:

Varnish - no CVE == bug regression Marek Kroemeke (Jul 02)
- Re: Varnish - no CVE == bug regression Solar Designer (Jul 02)
  - Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 02)
    - Re: Varnish - no CVE == bug regression Marek Kroemeke (Jul 02)
    - Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 03)
    - Re: Varnish - no CVE == bug regression Kurt Seifried (Jul 03)
    - Re: Varnish - no CVE == bug regression Sven Kieske (Jul 03)
    - Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
    - Re: Varnish - no CVE == bug regression Kurt Seifried (Jul 03)
    - Re: Varnish - no CVE == bug regression Marek Kroemeke (Jul 03)
    - Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
    - Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
    - Re: Varnish - no CVE == bug regression Kurt Seifried (Jul 03)
    - Re: Varnish - no CVE == bug regression Seth Arnold (Jul 03)
    - Re: Varnish - no CVE == bug regression Sven Kieske (Jul 04)
    - Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 05)
    - Re: Varnish - no CVE == bug regression cve-assign (Jul 08)
    - Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 08)
    - Re: Re: Varnish - no CVE == bug regression Michael Samuel (Jul 08)
    - Re: Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 08)
    - Re: Re: Varnish - no CVE == bug regression Michael Samuel (Jul 08)

(Thread continues...)