In message <[email protected]>, Nils Goroll writes: >IIUC to exploit any of these one would need access to a backend or at least >some >way to make a backend produce certain response headers.
They contacted me up front, I told them we don't consider it a security problem, because Varnish has to trust the backend being sensible. We'd be just as hosed if the backend started sending only 1TB objects. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [email protected] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. _______________________________________________ varnish-dev mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
