Security advisories

DROWN Attack & Fastly

Tuesday, March 1, 2016

Today in conjunction with an OpenSSL Security Advisory{:target="blank} several researchers announced a new attack on HTTPS{:target="blank"} they are calling “Decrypting RSA with Obsolete and Weakened Encryption,” or DROWN. Due to Fastly’s existing TLS configuration, our services, and customers using Fastly as their CDN, are not vulnerable to this attack.

Read more

Securing Edge-To-Origin TLS

Thursday, February 18, 2016

Fastly has fixed a problem in our default Transport Layer Security (TLS) configuration that prevented proper certificate validation when connecting to customer origin servers. Services created after September 6th, 2015 were not affected. This advisory describes the issue to inform our customers of the potential exposure, the fix we’ve made, and additional improvements we’re making.

This vulnerability has been assigned Fastly Security severity rating of HIGH.

Read more

CVE-2015-7547 Buffer Overflow in glibc

Tuesday, February 16, 2016

On Tuesday, February 16th, researchers published details about a new vulnerability in the glibc library, a standard C library. The vulnerability existed in the code used to translate hostnames into IP addresses. Processes that use it are very common across network service providers, such as CDNs.

Fastly immediately implemented a security update on affected systems. No customer action is required. Fastly’s service was not impacted.

Read more

Subscribe to security advisories.