No! And this is why cloudfare's poor write up continues to confuse people. Sites with those features triggered the bug. Once the bug was trigerred the response would include data from ANY other cloudfare customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using CloudFare. Not over-estimated at all.

The email Cloudflare is sending out to their customers has a pretty "no big deal" tone as well: http://pastebin.com/pUnKJE3J

I assume there's a separate email for sites where they happened to find Google cache data, but...

Ah, that makes sense. Thanks for clearing it up for me.

Does traffic from different sites flow through the same server process on CF? E.g., can the following sequence occur?:

1. a request hits a site that doesn't use any of those features, but loads juicy data into memory temporarily; the memory is dealloc'd, but is now "primed"

2. a request hits a site that uses those features, triggers the bug, and leaks the data from step #1.

Said differently, my reading of the CF blog is that only sites using those three page rules trigger the bug, but that is distinct from being affected by it. (The affected site is the one in the uninitialized memory; the site using the rules is in the initialized memory being processed.)

Your sequence is correct. The bug was triggered at the proxy level, in an nginx module.

As I understand the issue, the leaked data might be from any other site using Cloudflare caching.

But only requests to sites using the features you mention, will have leaked data.