Date: Tue, 19 May 2015 12:16:08 +0200 From: Alessandro Ghedini <alessandro@...dini.me> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE Request: nbd denial of service Hello, the following vulnerability was reported in the Debian bug tracker for nbd: > There's a remotely exploitable denial of service flaw, similar/identical > to CVE-2011-1925 in nbd-server. It has been documented publicly in > 2013-01-28. It has been fixed in upstream version 3.4  and hence > affects only the stable release (1:3.2-4~deb7u4). > > : http://sourceforge.net/p/nbd/mailman/message/30410146/ > : https://github.com/yoe/nbd/commit/741495cb08503fd32a9d22648e63b64390c601f4 > > The flaw can be exploited easily by connecting to a server (listening at > 10.0.0.1 in this example) and asking for a non-existing export: > > nbd-client 10.0.0.1 -N some-non-existing-export-name /dev/nbd1 > > The root (listener) nbd-server process will exit because of failed > negotiation procedure, effectively denying the service from others. See https://bugs.debian.org/781547 According to the upstream author (Wouter Verhelst): > versions <= 2.9.16 and >= 3.4 are definitely not vulnerable. Versions released > immediately after CVE-2011-1925 are *probably* not vulnerable, but I'm not > sure (and I don't want to go test all of them...). Versions released between > 2.9.16 and 2.9.22 (which fixes CVE-2011-1925) are vulnerable in the sense that > the bad design is still there, but I don't believe they would crash in that > manner. Can a CVE be assigned for this please? Cheers Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ