[Libguestfs] [NBDKIT SECURITY] STARTTLS denial-of-service weakness
Eric Blake
eblake at redhat.com
Thu Aug 19 19:16:10 UTC 2021
On Wed, Aug 18, 2021 at 03:39:15PM -0500, Eric Blake wrote:
> We have discovered a potential Denial of Service Attack in nbdkit,
> when using opportunistic TLS.
>
> Fixes
> -----
>
> This affects all nbdkit versions 1.12 through 1.26.4, as well as
> development versions through 1.27.5. A fix is available for the
> current development branch, and a followup email will give commit ids
> for each stable branch where the fix has been backported.
>
> https://listman.redhat.com/archives/libguestfs/2021-August/msg00077.html
>
> * development branch (1.27)
https://gitlab.com/nbdkit/nbdkit/-/commit/09a13dafb7bb3a38ab52eb5501cba786365ba7fd
> use nbdkit >= 1.27.6 from
> http://download.libguestfs.org/nbdkit/1.15-development/
> * stable branch 1.26
https://gitlab.com/nbdkit/nbdkit/-/commit/b358ead018fa3ba36918969f801dde73251afd6f
> use nbdkit >= 1.26.5 from
> http://download.libguestfs.org/nbdkit/1.26-stable/
> * stable branch 1.24
https://gitlab.com/nbdkit/nbdkit/-/commit/6185b15a81e6915734d678f0781e31d45a7941a1
> use nbdkit >= 1.24.6 from
> http://download.libguestfs.org/nbdkit/1.24-stable/
Older branches are patched for those building from a branch, but we
will not create actual releases on the branch unless there is demand.
* stable branch 1.22
https://gitlab.com/nbdkit/nbdkit/-/commit/ffb9dc381a57d2de17dae7a39853c041a36a041f
* stable branch 1.20
https://gitlab.com/nbdkit/nbdkit/-/commit/2845315e7691c500f5788c047f4aa82f4abd209d
* stable branch 1.18
https://gitlab.com/nbdkit/nbdkit/-/commit/c8159e4c63b7909dacc0c6c6da67f4a26c654e83
* stable branch 1.16
https://gitlab.com/nbdkit/nbdkit/-/commit/c6a76da86bd5fad5b22bf228616a40a263ca8802
* stable branch 1.14
https://gitlab.com/nbdkit/nbdkit/-/commit/022a63bfe956b58a11713744c9b98b3781570a84
* stable branch 1.12
https://gitlab.com/nbdkit/nbdkit/-/commit/650fc4316172d75ddd755d7cda36de0c4799f532
Introduced in 1.11.8, commit eaa4c6e9a2c4bdb71aefdd4b1d865e7a9af606a8
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
More information about the Libguestfs
mailing list