Date: Tue, 3 Feb 2009 16:39:16 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com cc: coley@...us.mitre.org Subject: Re: CVE request - ganglia updated to a "reject". ====================================================== Name: CVE-2009-0242 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0242 Reference: MLIST:[Ganglia-developers] 20090113 patches for: [Sec] Gmetad server BoF and network overload + [Feature] multiple requests per conn on interactive port Reference: URL:http://firstname.lastname@example.org/msg04929.html Reference: MLIST:[Ganglia-developers] 20090123 Re: CVE Reference: URL:http://email@example.com/msg04969.html Reference: MLIST:[Ganglia-developers] 20090123 Re: CVE Reference: URL:http://firstname.lastname@example.org/msg04973.html Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0242#c1 Reference: XF:ganglia-gmetad-dos(48166) Reference: URL:http://xforce.iss.net/xforce/xfdb/48166 ** REJECT ** gmetad in Ganglia 3.1.1, when supporting multiple requests per connection on an interactive port, allows remote attackers to cause a denial of service via a request to the gmetad service with a path does not exist, which causes Ganglia to (1) perform excessive CPU computation and (2) send the entire tree, which consumes network bandwidth. NOTE: the vendor and original researcher have disputed this issue, since legitimate requests can generate the same amount of resource consumption. CVE concurs with the dispute, so this identifier should not be used.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.