trAvis - MANAGER

Edit File: VSV00001.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Yah! A security issue - finally! &#8212; Varnish version 5.2.1 documentation</title> <link rel="stylesheet" href="../_static/classic.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '5.2.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="top" title="Varnish version 5.2.1 documentation" href="../index.html" /> <link rel="up" title="Poul-Hennings random outbursts" href="index.html" /> <link rel="next" title="Something (funny) happened on the way to 5.1.0^H1^H2" href="somethinghappened.html" /> <link rel="prev" title="Poul-Hennings random outbursts" href="index.html" /> </head> <body role="document"> <div class="related" role="navigation" aria-label="related navigation"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../genindex.html" title="General Index" accesskey="I">index</a></li> <li class="right" > <a href="somethinghappened.html" title="Something (funny) happened on the way to 5.1.0^H1^H2" accesskey="N">next</a> |</li> <li class="right" > <a href="index.html" title="Poul-Hennings random outbursts" accesskey="P">previous</a> |</li> <li class="nav-item nav-item-0"><a href="../index.html">Varnish version 5.2.1 documentation</a> &#187;</li> <li class="nav-item nav-item-1"><a href="index.html" accesskey="U">Poul-Hennings random outbursts</a> &#187;</li> </ul> </div> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body" role="main"> <div class="section" id="yah-a-security-issue-finally"> <span id="phk-vsv00001"></span><h1>Yah! A security issue - finally!<a class="headerlink" href="#yah-a-security-issue-finally" title="Permalink to this headline">¶</a></h1> <p>As embarrased as I am to find out that after 35 years of writing C-programs I <em>still</em> dont understand signed/unsigned variables, I am also incredibly proud that it took eleven years before Varnish had a major security incident.</p> <p>One side-effect of this episode is that the ink is still wet on most of the policies for handling security issues in the Varnish Project.</p> <p>We are, in the inimitable words of Amanda F. Palmer, <em>&quot;guilty of making shit up as you go along.&quot;</em></p> <p>So here is what we made up:</p> <div class="section" id="vwv-vulnerability-workaround-in-vcl"> <h2>VWV - Vulnerability Workaround in VCL<a class="headerlink" href="#vwv-vulnerability-workaround-in-vcl" title="Permalink to this headline">¶</a></h2> <p>Rolling a new Varnish release, even with an trivial one-line patch is not a fast operation, getting from patch to packages rolled and pushed into operating system respositories takes at least several days, provided you can get everybodys attention.</p> <p>Being able to offer users a way to mitigate security issues in VCL bypasses all that red tape: The moment you have the advisory in hand, you can defend your Varnish instance.</p> <p>VCL mitigation will always be our priority number one.</p> </div> <div class="section" id="wlic-we-love-inline-c"> <h2>WLIC - We Love Inline C<a class="headerlink" href="#wlic-we-love-inline-c" title="Permalink to this headline">¶</a></h2> <p>Brian W. Kernighan famously said that <a class="reference external" href="https://www.lysator.liu.se/c/bwk-on-pascal.html">he didn't like the programming language PASCAL</a> because <em>&quot;There is no escape.&quot;</em></p> <p>That quote is why Varnish got inline-C code from day one, to make sure there would always be an escape.</p> <p>However, recently we have been wondering if we should discontinue inline-C code, now that we have the much nicer and more structured VMOD facility.</p> <p>Well, that's all settled now: Inline-C stays, because it enabled us to craft the VCL-snippets to mitigate this &quot;deep-code&quot; security issue.</p> </div> <div class="section" id="vsv-varnish-security-vulnerability"> <h2>VSV - Varnish Security Vulnerability<a class="headerlink" href="#vsv-varnish-security-vulnerability" title="Permalink to this headline">¶</a></h2> <p>To my utter surprise, I could not get an embargoed CVE number, without having to reveal what was going on.</p> <p>There are good and sane reasons for that, and I harbour no ill feelings against the people who refused. Their policies need to target the really buggy software, and history has shown that to be anything but easy.</p> <p>But being unable to get a CVE number when we needed one, left us without a handle, and there being no signs that this was a fluke, we decided to start our own numbering of Varnish Security Vulnerabilities.</p> <p>We are starting from VSV number 1, as this one is the first real flag day for us, and we have reserved VTC testnames <cite>f%05d</cite> to go with it.</p> <p>Five digits should be enough for everybody.</p> <p>As soon as possible, if possible, we will of course try to get a unique CVE number attached to each VSV, but the VSV will be our own primary handle.</p> </div> <div class="section" id="vivu-very-important-varnish-users"> <h2>VIVU - Very Important Varnish Users<a class="headerlink" href="#vivu-very-important-varnish-users" title="Permalink to this headline">¶</a></h2> <p>I have been struggling with this problem for a long time, because sooner or later we would hit this event.</p> <p>Clearly some people deserve to get an early heads-up on security advisories, but who ?</p> <p>Any list big enough to be fair would also be too easy to sneak into for people who should not be on it.</p> <p>Such a list would also be a major head-ache for us to maintain, not to mention setting and judging the qualification criteria, and dealing with appeals from the ones we rejected.</p> <p>Instead I have decided that we are simply going to follow the money.</p> <p>People and companies who paid at least €1000 for a <a class="reference external" href="http://phk.freebsd.dk/VML/">Varnish Moral License</a> in the 12 months before the publication date, get advance warning of our security advisories.</p> <p>Those €1000 per year goes almost <a class="footnote-reference" href="#f1" id="id1">[1]</a> 100% to maintain, develop and improve Varnish, so even if there are no security advisories, the money will be well spent beneficially for a Varnish user.</p> <p>Of course nothing prevents Wile E. Hacker from also paying €1000 every year to receive advance notice, but I suspect it would sting a bit to know that your own money is being used to prevent the event you are gambling on - and that it might take eleven years for the ball to stop.</p> <p>But we will <em>also</em> maintain a VIVU-list, for people and companies who contribute materially to the Varnish Project in some way, (documentation, code, machines, testing, meeting-rooms...) or people we judge should be there for some other good reason.</p> <p>If you feel you should be on the VIVU list, drop me an email, don't forget to include your PGP key.</p> </div> <div class="section" id="vqs-varnish-quality-software"> <h2>VQS - Varnish Quality Software<a class="headerlink" href="#vqs-varnish-quality-software" title="Permalink to this headline">¶</a></h2> <p>From the very first line of code, Varnish has also been a software quality experiment, I wanted to show the world that software does not have to suck.</p> <p>Strange as it sounds, now that we finally had a major security issue, I feel kind of vindicated, in a strange kind of <em>&quot;The house burned down but I'm happy to know that the fire-alarm did work&quot;</em> kind of way.</p> <p>We have had some CVE's before, but none of them were major issues.</p> <p>The closest was probably <a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4484">CVE-2013-4484</a> four years ago, which in many ways was like VSV00001, but it only affected users with a not so common VCL construct.</p> <p>VSV00001 on the other hand exposes all contemporary Varnishes, it doesn't get any more major than that.</p> <p>But it took eleven years <a class="footnote-reference" href="#f2" id="id2">[2]</a> to get to that point, primarily because Varnish is a software quality experiment.</p> <p>How unusual our level of software quality is, was brought home by the response to my request for a CVE number under embargo: <em>&quot;I can do an embargoed CVE, but I'm not comfortable assigning one blindly to someone who doesn't have a history of requesting them.&quot;</em> - that sounds like praise by faint damnation to me.</p> <p>Anyway, I will not promise that we will have no major security issues until the year 2028, but I'll do my damnest to make it so.</p> </div> <div class="section" id="vdr-varnish-developers-rock"> <h2>VDR - Varnish Developers Rock<a class="headerlink" href="#vdr-varnish-developers-rock" title="Permalink to this headline">¶</a></h2> <p>When this issue surfaced I had contractors and moving boxes all around me and barely had workable internet connectivity in the new house.</p> <p>The usual gang of Varnish developers did a smashing job, largely on their own, and I am incredibly thankful for that.</p> <p>Much appreciated guys!</p> <p>And also a big round of thanks to the sponsors and VML contributors who have had patience with me trying to do the right thing, even if it took a while longer: I hope you agree that it has been worth it.</p> <p><em>phk</em></p> <p>PS: This was written before the public announcement.</p> <p class="rubric">Footnotes</p> <table class="docutils footnote" frame="void" id="f1" rules="none"> <colgroup><col class="label" /><col /></colgroup> <tbody valign="top"> <tr><td class="label"><a class="fn-backref" href="#id1">[1]</a></td><td>There is practically no overhead on the VML, only the banking fees to receive the payments.</td></tr> </tbody> </table> <table class="docutils footnote" frame="void" id="f2" rules="none"> <colgroup><col class="label" /><col /></colgroup> <tbody valign="top"> <tr><td class="label"><a class="fn-backref" href="#id2">[2]</a></td><td>It can be argued that we should only count until the bug was introduced in the codebase, rather than until it was discovered. In that case it is not eleven years but &quot;only&quot; eight years.</td></tr> </tbody> </table> </div> </div> </div> </div> </div> <div class="sphinxsidebar" role="navigation" aria-label="main navigation"> <div class="sphinxsidebarwrapper"> <h3><a href="../index.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Yah! A security issue - finally!</a><ul> <li><a class="reference internal" href="#vwv-vulnerability-workaround-in-vcl">VWV - Vulnerability Workaround in VCL</a></li> <li><a class="reference internal" href="#wlic-we-love-inline-c">WLIC - We Love Inline C</a></li> <li><a class="reference internal" href="#vsv-varnish-security-vulnerability">VSV - Varnish Security Vulnerability</a></li> <li><a class="reference internal" href="#vivu-very-important-varnish-users">VIVU - Very Important Varnish Users</a></li> <li><a class="reference internal" href="#vqs-varnish-quality-software">VQS - Varnish Quality Software</a></li> <li><a class="reference internal" href="#vdr-varnish-developers-rock">VDR - Varnish Developers Rock</a></li> </ul> </li> </ul> <h4>Previous topic</h4> <p class="topless"><a href="index.html" title="previous chapter">Poul-Hennings random outbursts</a></p> <h4>Next topic</h4> <p class="topless"><a href="somethinghappened.html" title="next chapter">Something (funny) happened on the way to 5.1.0^H1^H2</a></p> <div role="note" aria-label="source link"> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/phk/VSV00001.txt" rel="nofollow">Show Source</a></li> </ul> </div> <div id="searchbox" style="display: none" role="search"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <div><input type="text" name="q" /></div> <div><input type="submit" value="Go" /></div> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <div class="clearer"></div> </div> <div class="related" role="navigation" aria-label="related navigation"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../genindex.html" title="General Index" >index</a></li> <li class="right" > <a href="somethinghappened.html" title="Something (funny) happened on the way to 5.1.0^H1^H2" >next</a> |</li> <li class="right" > <a href="index.html" title="Poul-Hennings random outbursts" >previous</a> |</li> <li class="nav-item nav-item-0"><a href="../index.html">Varnish version 5.2.1 documentation</a> &#187;</li> <li class="nav-item nav-item-1"><a href="index.html" >Poul-Hennings random outbursts</a> &#187;</li> </ul> </div> <div class="footer" role="contentinfo"> &#169; Copyright 2010-2014, Varnish Software AS. Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.4.9. </div> </body> </html>