[Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy
Christian Heimes
cheimes at redhat.com
Wed Jul 22 18:47:17 UTC 2015
On 2015-07-22 20:38, Nathaniel McCallum wrote:
> On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
>> On 2015-07-22 20:23, Nathaniel McCallum wrote:
>>> Related: CVE-2015-5159
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1245200
>>
>> The patch prevents a flood attack but I consider more a workaround
>> than
>> a solution. I'll update kdcproxy tomorrow.
>
> The problem is that while we can provide a sane default, special
> applications might require different sizes (either smaller or larger).
> I think this fix is acceptable since it keeps the solution entirely
> within the configuration domain.
The python-kdcproxy package may be used by other parties with different
web servers. I also like to see a countermeasure in kdcproxy. Other
installations should not fall victim to the same issue.
How about we set the default maximum size to a rather large value (like
5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very,
very large for a Kerberos request but still prevents DoS and OOM killer
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150722/c2986e29/attachment.sig>
More information about the Freeipa-devel
mailing list