[Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy
Nathaniel McCallum
npmccallum at redhat.com
Wed Jul 22 18:50:07 UTC 2015
On Wed, 2015-07-22 at 20:47 +0200, Christian Heimes wrote:
> On 2015-07-22 20:38, Nathaniel McCallum wrote:
> > On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
> > > On 2015-07-22 20:23, Nathaniel McCallum wrote:
> > > > Related: CVE-2015-5159
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1245200
> > >
> > > The patch prevents a flood attack but I consider more a
> > > workaround
> > > than
> > > a solution. I'll update kdcproxy tomorrow.
> >
> > The problem is that while we can provide a sane default, special
> > applications might require different sizes (either smaller or
> > larger).
> > I think this fix is acceptable since it keeps the solution entirely
> > within the configuration domain.
>
> The python-kdcproxy package may be used by other parties with
> different
> web servers. I also like to see a countermeasure in kdcproxy. Other
> installations should not fall victim to the same issue.
>
> How about we set the default maximum size to a rather large value
> (like
> 5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very,
> very large for a Kerberos request but still prevents DoS and OOM
> killer
Fine by me.
Nathaniel
More information about the Freeipa-devel
mailing list