On 8/08/2012 11:51 p.m., Eliezer Croitoru wrote:
> On 8/7/2012 10:59 AM, Amos Jeffries wrote:
>> mportant changes to note in this release:
>>
>> * As you should know CVE-2009-0801 security vulnerability protection was
>> added in 3.2 series.
>>
>> Earlier betas attempted to protect peer caches as well as themselves, by
>> blocking relay of untrusted requests until we could implement a safe
>> relay.
>>
>> Due to time constraints this extra layer of peer protection
>> has been REMOVED from 3.2 default builds.
>>
>> Interception cache proxies are themselves well protected against the
>> vulnerability, but can indirectly poison any cache heirarchy they are
>> integrated with. The -DSTRICT_HOST_VERIFY compile-time flag can be
Sigh. Correction: -DSTRICT_ORIGINAL_DST is the flag name.
>> defined in CXXFLAGS to re-enable this peer protection if desired. Its
>> use is encouraged, but will result in problems for some popular
>> configurations. ie ISP interception proxy gatewaying through a cache
>> array, matrix of interception proxies as siblings.
>>
>> Use of the client destination IP (ORIGINAL_DST) is still preferred for
>> untrusted requests, so if your proxy is backed by a firewall denial
>> please ensure that the rules are REJECT rules rather than DROP for best
>> performance. never_direct does not affect this routing preference as it
>> does for DIRECT traffic.
> I want to verify because i'm a bit confused.
> can a intercepted request be forwarded to a cache_peer in any way?
NOTE: I've spent a bit more time working it over and decided to drop
that complication. New patch heading down for 3.2.0.20 later today.
Amos
Received on Fri Aug 10 2012 - 02:31:52 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 10 2012 - 12:00:02 MDT