h2 bomb
Per Buer
per.buer at varnish-software.com
Thu Jun 4 08:39:53 UTC 2026
I'm pretty sure we aren't vulnerable and our analysis so far seems to
confirm this. Obviously, you can take down a Vinyl instance by hammering
it, but no amplification is happening. Also, we've been in touch with the
Calif guys before and they didn't notify us this time. These individuals
found VSV19, so they know how to reach us.
Per.
On Thu, Jun 4, 2026 at 10:18 AM Poul-Henning Kamp <phk at phk.freebsd.dk>
wrote:
> Found it:
>
> https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
>
> I think the way we manage workspace and HTTP headers is safe against
> this.
>
> Have not checked vtest2
>
> --
> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
> phk at FreeBSD.ORG | TCP/IP since RFC 956
> FreeBSD committer | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
> _______________________________________________
> vinyl-dev mailing list
> vinyl-dev at vinyl-cache.org
> https://vinyl-cache.org/lists/mailman/listinfo/vinyl-dev
>
--
Per Buer
Varnish Software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://vinyl-cache.org/lists/pipermail/vinyl-dev/attachments/20260604/c5ae5440/attachment.html>
More information about the vinyl-dev
mailing list