I just had to comment on this…
Read the advisory here.
My short comment; If you install any type of Software, or use any kind of mechanical devices, or do anything in life, be sure too know what you are doing.
If you buy a car, and the car door is not locked when you are handed the keys, do still lock the doors if you don’t want people to come into your car!
Snippets from the advisory:
"In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off the server and replacing it with another reverse proxy such as Squid."
That would be like stepping out of a Ferrari and crawling into twelve old Tractors… I don’t think people will do that Mr. Brown…
"Should this not be possible, Nth Dimension would strongly recommend that users confirm that the master process is not listening on an external network interface."
This is so much easier to do than migrate to Squid or alike? And the right thing to do if you are not in a trusted environment. Again, do lock your car door.
"In the latter case, users should confirm that only trusted users have SSH access to the system."
As a rule of thumb: You should NEVER have untrusted users on your systems if you value your data on it or the data accessible from it.
There are tons of information on how to harden a Operating System (OS). One of the first and most common step is to make sure the system does not listen on network ports that you don’t want it too. I feel that the advisory is bogus because it is a feature of Varnish.
The advisory should have been aimed at the distributions that have packages that don’t implement “non-clue friendly defaults”.
That said, there is nothing stopping me from sending out my passwords via email once I have installed a browser and I manage to log into my gmail account…
Subject: “Medium security hole in Mozilla Firefox”
Body: “I’ve identified a couple of security flaws affecting Mozilla Firefox (All versions) which may allow privilege escalation….”