Date: Fri, 4 Jul 2014 07:10:48 +0000 From: Sven Kieske <S.Kieske@...twald.de> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: Varnish - no CVE == bug regression Am 03.07.2014 22:17, schrieb Stefan Bühler:> And again "user controlled input"... a root shell also uses "user > controlled input". A shell differs very much from varnish: you can configure the shell user to be just able to e.g. run certain commands, you almost never just use the plain "shell". you use it in the context of the operating system, which allows you to enforce additional security boundaries, and often does this by default. you can restrict certain shells to allow just specific commands. and after all, a shell is build to execute code/commands, varnish is there to serve cached web documents and to speed things up. So I really think: With different intended usecases come different security models and different considerations what is a flaw or breach in this model. if you think the use case for varnish is to get crashed, well I just have to wonder what's that use case for? Even the varnish devs seem to agree this is unwanted behaviour or why do they fix it? This is merely about if(in general) and which(specific) "unwanted behaviour" is considered a security vulnerability. And today, the tendency is most times to not tolerate any "unwanted behaviour" in any software. Keep in mind this opens up more unexplored codepaths and can boil down, to what is widely known as "weird machines". (visit langsec.org for many interesting papers on input validation ;) ) Also Kurt did really sum it up very well, imho, so this will be my last post to this thread. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ