Re: [Libguestfs] [NBDKIT SECURITY] STARTTLS denial-of-service weakness
On Wed, Aug 18, 2021 at 03:39:15PM -0500, Eric Blake wrote:
We have discovered a potential Denial of Service Attack in nbdkit,
when using opportunistic TLS.
Fixes
-----
This affects all nbdkit versions 1.12 through 1.26.4, as well as
development versions through 1.27.5. A fix is available for the
current development branch, and a followup email will give commit ids
for each stable branch where the fix has been backported.
https://listman.redhat.com/archives/libguestfs/2021-August/msg00077.html
* development branch (1.27)
https://gitlab.com/nbdkit/nbdkit/-/commit/09a13dafb7bb3a38ab52eb5501cba78...
use nbdkit >= 1.27.6 from
http://download.libguestfs.org/nbdkit/1.15-development/
* stable branch 1.26
https://gitlab.com/nbdkit/nbdkit/-/commit/b358ead018fa3ba36918969f801dde7...
use nbdkit >= 1.26.5 from
http://download.libguestfs.org/nbdkit/1.26-stable/
* stable branch 1.24
https://gitlab.com/nbdkit/nbdkit/-/commit/6185b15a81e6915734d678f0781e31d...
use nbdkit >= 1.24.6 from
http://download.libguestfs.org/nbdkit/1.24-stable/
Older branches are patched for those building from a branch, but we
will not create actual releases on the branch unless there is demand.
* stable branch 1.22
https://gitlab.com/nbdkit/nbdkit/-/commit/ffb9dc381a57d2de17dae7a39853c04...
* stable branch 1.20
https://gitlab.com/nbdkit/nbdkit/-/commit/2845315e7691c500f5788c047f4aa82...
* stable branch 1.18
https://gitlab.com/nbdkit/nbdkit/-/commit/c8159e4c63b7909dacc0c6c6da67f4a...
* stable branch 1.16
https://gitlab.com/nbdkit/nbdkit/-/commit/c6a76da86bd5fad5b22bf228616a40a...
* stable branch 1.14
https://gitlab.com/nbdkit/nbdkit/-/commit/022a63bfe956b58a11713744c9b98b3...
* stable branch 1.12
https://gitlab.com/nbdkit/nbdkit/-/commit/650fc4316172d75ddd755d7cda36de0...
Introduced in 1.11.8, commit eaa4c6e9a2c4bdb71aefdd4b1d865e7a9af606a8
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org