oss-sec mailing list archives
Re: Re: Varnish - no CVE == bug regression
From: Michael Samuel <mik () miknet net>
Date: Wed, 9 Jul 2014 16:40:26 +1000
On 9 July 2014 16:13, Poul-Henning Kamp <phk () phk freebsd dk> wrote:
No, a restart shuts all connections. The master process' job is to hold the configured stated and start/stop the worker process. As part of the startup the socket is opened & bound, but the master does not have anything to do with client sockets. This is mainly a security decision: The master must be involatile.
I'm not disagreeing with that decision (which obviously has it's own merits), but if that's the case then this is a low-risk, low impact DoS vulnerability. A CVE assignment will trigger out-of-band patches for distros that might not do so otherwise. Surely you agree that this is desirable? Regards, Michael
Current thread:
- Re: Varnish - no CVE == bug regression, (continued)
- Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
- Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
- Re: Varnish - no CVE == bug regression Kurt Seifried (Jul 03)
- Re: Varnish - no CVE == bug regression Seth Arnold (Jul 03)
- Re: Varnish - no CVE == bug regression Sven Kieske (Jul 04)
- Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 05)
- Re: Varnish - no CVE == bug regression cve-assign (Jul 08)
- Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 08)
- Re: Re: Varnish - no CVE == bug regression Michael Samuel (Jul 08)
- Re: Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 08)
- Re: Re: Varnish - no CVE == bug regression Michael Samuel (Jul 08)
- Re: Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 09)