[Libguestfs] [NBDKIT SECURITY] STARTTLS denial-of-service weakness

Eric Blake eblake at redhat.com
Thu Aug 19 19:16:10 UTC 2021 

On Wed, Aug 18, 2021 at 03:39:15PM -0500, Eric Blake wrote:
> We have discovered a potential Denial of Service Attack in nbdkit,
> when using opportunistic TLS.
> 

> Fixes
> -----
> 
> This affects all nbdkit versions 1.12 through 1.26.4, as well as
> development versions through 1.27.5.  A fix is available for the
> current development branch, and a followup email will give commit ids
> for each stable branch where the fix has been backported.
> 
> https://listman.redhat.com/archives/libguestfs/2021-August/msg00077.html
> 
> * development branch (1.27)
    https://gitlab.com/nbdkit/nbdkit/-/commit/09a13dafb7bb3a38ab52eb5501cba786365ba7fd
>   use nbdkit >= 1.27.6 from
>   http://download.libguestfs.org/nbdkit/1.15-development/

> * stable branch 1.26
    https://gitlab.com/nbdkit/nbdkit/-/commit/b358ead018fa3ba36918969f801dde73251afd6f
>   use nbdkit >= 1.26.5 from
>   http://download.libguestfs.org/nbdkit/1.26-stable/

> * stable branch 1.24
    https://gitlab.com/nbdkit/nbdkit/-/commit/6185b15a81e6915734d678f0781e31d45a7941a1
>   use nbdkit >= 1.24.6 from
>   http://download.libguestfs.org/nbdkit/1.24-stable/

Older branches are patched for those building from a branch, but we
will not create actual releases on the branch unless there is demand.

* stable branch 1.22
  https://gitlab.com/nbdkit/nbdkit/-/commit/ffb9dc381a57d2de17dae7a39853c041a36a041f

* stable branch 1.20
  https://gitlab.com/nbdkit/nbdkit/-/commit/2845315e7691c500f5788c047f4aa82f4abd209d

* stable branch 1.18
  https://gitlab.com/nbdkit/nbdkit/-/commit/c8159e4c63b7909dacc0c6c6da67f4a26c654e83

* stable branch 1.16
  https://gitlab.com/nbdkit/nbdkit/-/commit/c6a76da86bd5fad5b22bf228616a40a263ca8802

* stable branch 1.14
  https://gitlab.com/nbdkit/nbdkit/-/commit/022a63bfe956b58a11713744c9b98b3781570a84

* stable branch 1.12
  https://gitlab.com/nbdkit/nbdkit/-/commit/650fc4316172d75ddd755d7cda36de0c4799f532

Introduced in 1.11.8, commit eaa4c6e9a2c4bdb71aefdd4b1d865e7a9af606a8

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

More information about the Libguestfs mailing list