Vi har lige måtte lide den tort at annoncere at der var et DoS hul I Varnish 6.x.
Jeg har skrevet mine tanker om det ovre i min "rant" sektion i Varnish projektet, men jeg kunne egentlig godt tænke mig at høre hvad folk har af input til denne del:
An event like this is a good chance to "recalculate the route" so to speak, and the first question we need to answer is if we are barking up the wrong tree?
Does it matter in the real world, that Varnish does not spit out a handful of CVE's per year ?
Would the significant amount of time we spend on trying to prevent that be better used to extend Varnish ?
There is no doubt that part of Varnish Cache's success is that it is largely "fire & forget".
Every so often I get an email from "the new guy" who just found a Varnish instance which has been running for years, unbeknownst to everybody still in the company.
There are still Varnish 2.x and 3.x out there, running serious workloads without making a fuzz about it.
But is that actually a good thing ?
Dan Geer thinks not, he has argued that all software should have a firm expiry date, to prevent cyberspace ending as a "Cybersecurity SuperFund Site".
So far our two big security issues have both been DoS vulnerabilities, and Varnish recovers as soon as the attack ends, but what if the next one is a data-disclosure issue ?
When Varnish users are not used to patch their Varnish instance, would they even notice the security advisory, or would they obliviously keep running the vulnerable code for years on end ?
Of course, updating a software package has never been easier, in a well-run installation it should be a non-event which happens automatically.
And in a world where August 2019 saw a grand total of 2004 CVEs, how much should we (still) cater to people who "fire & forget" ?
And finally we must ask ourselves if all the effort we spend on code quality is worth it, if we still face a major security issue as often as every other year ?
Hvor er vi egentlig henne med sikkerhed og programkvalitet nu om dage ?