Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 May 2015 12:16:08 +0200
From: Alessandro Ghedini <>
Subject: CVE Request: nbd denial of service


the following vulnerability was reported in the Debian bug tracker for nbd:

> There's a remotely exploitable denial of service flaw, similar/identical
> to CVE-2011-1925 in nbd-server. It has been documented publicly in
> 2013-01-28[1]. It has been fixed in upstream version 3.4 [2] and hence
> affects only the stable release (1:3.2-4~deb7u4).
> [1]:
> [2]:
> The flaw can be exploited easily by connecting to a server (listening at
> in this example) and asking for a non-existing export:
>   nbd-client -N some-non-existing-export-name /dev/nbd1
> The root (listener) nbd-server process will exit because of failed
> negotiation procedure, effectively denying the service from others.


According to the upstream author (Wouter Verhelst):

> versions <= 2.9.16 and >= 3.4 are definitely not vulnerable. Versions released
> immediately after CVE-2011-1925 are *probably* not vulnerable, but I'm not
> sure (and I don't want to go test all of them...). Versions released between
> 2.9.16 and 2.9.22 (which fixes CVE-2011-1925) are vulnerable in the sense that
> the bad design is still there, but I don't believe they would crash in that
> manner.

Can a CVE be assigned for this please?


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ