Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Varnish: Announce

Almost but not quite a security advisory

 

 

Varnish announce RSS feed   Index | Next | Previous | View Threaded


phk at phk

Apr 28, 2012, 12:50 AM

Post #1 of 1 (840 views)
Permalink
Almost but not quite a security advisory

Hi Varnish users,

This is a pretty special corner case, way outside what we promise
Varnish will do, so I have decided it does not qualify for a
security-advisory, however, the announce list is my only way to
communicate with the very few people this issue applies to:

If
You run varnishd as root
and
You use privilege separation
and
You accept VCL programs from untrusted sources
and
You allow the VCL programs to contain inline-C or unverified VMODs.

Then please check the 2012-04-28 entry on:

https://www.varnish-cache.org/trac/wiki/TroubleLog

Thanks in advance,

Poul-Henning

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk [at] FreeBSD | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-announce mailing list
varnish-announce [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-announce

Varnish announce RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.