Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Jul 2014 16:40:26 +1000
From: Michael Samuel <mik@...net.net>
To: Poul-Henning Kamp <phk@....freebsd.dk>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: Varnish - no CVE == bug regression

On 9 July 2014 16:13, Poul-Henning Kamp <phk@....freebsd.dk> wrote:
> No, a restart shuts all connections.
>
> The master process' job is to hold the configured stated and start/stop
> the worker process.  As part of the startup the socket is opened & bound,
> but the master does not have anything to do with client sockets.  This
> is mainly a security decision:  The master must be involatile.

I'm not disagreeing with that decision (which obviously has it's own
merits), but if that's the case then this is a low-risk, low impact DoS
vulnerability.

A CVE assignment will trigger out-of-band patches for distros that might
not do so otherwise.  Surely you agree that this is desirable?

Regards,
  Michael

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ