As you may have seen if you've been following discussions on the
mailing list, we discovered a low priority security problem with
nbdkit's handling of TLS connections.
If TLS is enabled without either client certificate validation or PSK,
untrusted clients can connect, negotiate the TLS handshake, disconnect
and leak about 14K of memory each time. So after tens of thousands to
millions of connections you can leak a substantial amount of memory,
likely resulting in nbdkit crashing, thus a denial of service attack.
TLS is enabled by default only if certificates are available. Both
client certificate validation and PSK are disabled by default. So the
server can default to being vulnerable once you've created
certificates, although it is probably not vulnerable in out of the box
configurations because I don't know any Linux distro which is
automatically creating TLS certs for nbdkit.
The upstream fix is:
https://github.com/libguestfs/nbdkit/commit/baf10918f94b84185a27b4bb81cf3...
This has been backported to all stable branches, and is also available
in the following released versions:
nbdkit >= 1.9.4
nbdkit >= 1.8.2
nbdkit >= 1.6.4
nbdkit >= 1.4.4
nbdkit >= 1.2.8
all available here:
http://download.libguestfs.org/nbdkit/
I'm making updated packages available for Fedora now.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html