oss-sec mailing list archives

Re: Re: Varnish - no CVE == bug regression

From: Michael Samuel <mik () miknet net>
Date: Wed, 9 Jul 2014 16:40:26 +1000

On 9 July 2014 16:13, Poul-Henning Kamp <phk () phk freebsd dk> wrote:

No, a restart shuts all connections.

The master process' job is to hold the configured stated and start/stop
the worker process.  As part of the startup the socket is opened & bound,
but the master does not have anything to do with client sockets.  This
is mainly a security decision:  The master must be involatile.


I'm not disagreeing with that decision (which obviously has it's own
merits), but if that's the case then this is a low-risk, low impact DoS
vulnerability.

A CVE assignment will trigger out-of-band patches for distros that might
not do so otherwise.  Surely you agree that this is desirable?

Regards,
  Michael

Current thread:

Re: Varnish - no CVE == bug regression, (continued)
- - - Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
    - Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
    - Re: Varnish - no CVE == bug regression Kurt Seifried (Jul 03)
    - Re: Varnish - no CVE == bug regression Seth Arnold (Jul 03)
    - Re: Varnish - no CVE == bug regression Sven Kieske (Jul 04)
    - Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 05)
    - Re: Varnish - no CVE == bug regression cve-assign (Jul 08)
    - Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 08)
    - Re: Re: Varnish - no CVE == bug regression Michael Samuel (Jul 08)
    - Re: Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 08)
    - Re: Re: Varnish - no CVE == bug regression Michael Samuel (Jul 08)
    - Re: Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 09)