Date: Wed, 9 Jul 2014 16:40:26 +1000 From: Michael Samuel <mik@...net.net> To: Poul-Henning Kamp <phk@....freebsd.dk> Cc: oss-security@...ts.openwall.com Subject: Re: Re: Varnish - no CVE == bug regression On 9 July 2014 16:13, Poul-Henning Kamp <phk@....freebsd.dk> wrote: > No, a restart shuts all connections. > > The master process' job is to hold the configured stated and start/stop > the worker process. As part of the startup the socket is opened & bound, > but the master does not have anything to do with client sockets. This > is mainly a security decision: The master must be involatile. I'm not disagreeing with that decision (which obviously has it's own merits), but if that's the case then this is a low-risk, low impact DoS vulnerability. A CVE assignment will trigger out-of-band patches for distros that might not do so otherwise. Surely you agree that this is desirable? Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ