Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 13 Sep 2018 16:52:53 +0200
From: Alex R <>
To: dev <>, user <>, 
	Amon Flair <>, Lyon Yang <>, 
	security <>,, 
	Yeo Quan Yang <>
Subject: CVE-2018-1330: Libprocess might crash when decoding malformed HTTP
 requests or malformed JSON payload.

Severity: Important

The Apache Software Foundation

Versions Affected:
Apache Mesos 1.4.0 to 1.5.0
The unsupported Apache Mesos pre-1.4.0 releases may be also affected.

When parsing a malformed JSON payload, libprocess might crash due to
an uncaught exception. Parsing chunked HTTP requests with trailers
can lead to a libprocess crash too because of the mistakenly planted
assertion. A malicious actor can therefore cause a denial of service
of Mesos masters rendering the Mesos-controlled cluster inoperable.

pre-1.4.x users should upgrade to at least 1.4.2
1.4.x users should upgrade to 1.4.2
1.5.0 users should upgrade to 1.5.1
1.6.0-dev users should obtain Mesos 1.6.0 or later

This issue was discovered by Lyon Yang (@l0Op3r), Jeremy Heng
(@nn\_amon) and Quan Yang (@quanyang).

Alex on behalf of Mesos PMC.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.