
<div dir="ltr"><div>For the record, I have added  #1274 and #1275 in trac for the last two:<br><br><a href="https://www.varnish-cache.org/trac/ticket/1274">https://www.varnish-cache.org/trac/ticket/1274</a><br><a href="https://www.varnish-cache.org/trac/ticket/1275">https://www.varnish-cache.org/trac/ticket/1275</a><br>

<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Mar 6, 2013 at 3:41 PM, Nils Goroll <span dir="ltr"><<a href="mailto:slink@schokola.de" target="_blank">slink@schokola.de</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">FYI:<br>

<br>

* <a href="http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/89110" target="_blank">http://www.gossamer-threads.<u></u>com/lists/fulldisc/full-<u></u>disclosure/89110</a><br>

  -> looks like <a href="https://www.varnish-cache.org/trac/ticket/927" target="_blank">https://www.varnish-cache.org/<u></u>trac/ticket/927</a> at first sight<br>

<br>

* <a href="http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/89115" target="_blank">http://www.gossamer-threads.<u></u>com/lists/fulldisc/full-<u></u>disclosure/89115</a><br>

  -> another one with ridiculously high Content-Length<br>

<br>

these ones are also reported for 3.0.3 and look like genuine issues to me:<br>

<br>

* <a href="http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/89113" target="_blank">http://www.gossamer-threads.<u></u>com/lists/fulldisc/full-<u></u>disclosure/89113</a><br>

  -> new report? (does not look like a new issue to me regarding GetHdr,<br>

     but in the context of Vary parsing)<br>

<br>

* <a href="http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/89107" target="_blank">http://www.gossamer-threads.<u></u>com/lists/fulldisc/full-<u></u>disclosure/89107</a><br>

  -> Vary parsing<br>

<br>

IIUC to exploit any of these one would need access to a backend or at least some way to make a backend produce certain response headers.<br>

<br>

Nils<br>

<br>

______________________________<u></u>_________________<br>

varnish-dev mailing list<br>

<a href="mailto:varnish-dev@varnish-cache.org" target="_blank">varnish-dev@varnish-cache.org</a><br>

<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev" target="_blank">https://www.varnish-cache.org/<u></u>lists/mailman/listinfo/<u></u>varnish-dev</a><br>

</blockquote></div><br><br clear="all"><br>-- <br><table style="font-style:normal;font-weight:normal;font-size:12px;line-height:1.5em;font-family:'Helvetica Neue',Arial,sans-serif;color:#666666;width:550px;border-top:1px solid #eeeeee;border-bottom:1px solid #eeeeee;margin-top:20px;padding-top:5px;padding-bottom:5px" border="0" cellpadding="0" cellspacing="0">


<tbody><tr>

<td width="100">

<a href="http://www.varnish-software.com" target="_blank"><img src="http://www.varnish-software.com/static/media/logo-email.png" style="float:left;margin-left:10px"></a>

</td>

<td>

<b style="font-size:14px;color:#222222">Dag Haavi Finstad</b><br> 

Developer | Varnish Software AS<br> Phone: +47 21 98 92 60<br><span style="font-weight:bold">We Make Websites Fly!</span></td>

</tr>

</tbody></table>


</div>