oss-sec mailing list archives
Re: CVE request: nbd-server
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 17 May 2011 11:07:46 -0600
* [2011-05-17 10:38:20 +0200] Thijs Kinkhorst wrote:
Hi, In Debian the following was reported: nbd-server 2.9.21 has a NULL-pointer dereference in its negotiation phase, which allows unauthenticated users to DoS the server by causing the negotiation to fail (e.g., by specifying a non-existing name for an export). Filed as http://bugs.debian.org/627042. This affects only 2.9.21 so for us goes that only our unstable distribution is affected. We'd like to have a CVE name for this.
The Debian bug is really light on details, so here is the git commit that fixes this: http://nbd.git.sourceforge.net/git/gitweb.cgi?p=nbd/nbd;a=commitdiff;h=ebbbe0b3ce5393fa42a259f5e03d549508586aaa But I don't see any evidence that this _only_ affects 2.9.21. Are we sure that it doesn't affect earlier versions? The reporter doesn't indicate one way or the other. CC'ing Wouter for clarification. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request: nbd-server Thijs Kinkhorst (May 17)
- Re: CVE request: nbd-server Vincent Danen (May 17)
- Re: CVE request: nbd-server Wouter Verhelst (May 17)
- Re: CVE request: nbd-server Vincent Danen (May 17)
- Re: CVE request: nbd-server Wouter Verhelst (May 17)
- Re: CVE request: nbd-server Josh Bressers (May 17)
- Re: CVE request: nbd-server Vincent Danen (May 17)