As you may have seen if you've been following discussions on the mailing list, we discovered a low priority security problem with nbdkit's handling of TLS connections. If TLS is enabled without either client certificate validation or PSK, untrusted clients can connect, negotiate the TLS handshake, disconnect and leak about 14K of memory each time. So after tens of thousands to millions of connections you can leak a substantial amount of memory, likely resulting in nbdkit crashing, thus a denial of service attack. TLS is enabled by default only if certificates are available. Both client certificate validation and PSK are disabled by default. So the server can default to being vulnerable once you've created certificates, although it is probably not vulnerable in out of the box configurations because I don't know any Linux distro which is automatically creating TLS certs for nbdkit. The upstream fix is: https://github.com/libguestfs/nbdkit/commit/baf10918f94b84185a27b4bb81cf3... This has been backported to all stable branches, and is also available in the following released versions: nbdkit >= 1.9.4 nbdkit >= 1.8.2 nbdkit >= 1.6.4 nbdkit >= 1.4.4 nbdkit >= 1.2.8 all available here: http://download.libguestfs.org/nbdkit/ I'm making updated packages available for Fedora now. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html