oss-sec mailing list archives
CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.
From: Alex R <alexr () apache org>
Date: Tue, 26 Sep 2017 16:53:53 +0200
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Mesos 1.1.0 to 1.3.0 The unsupported Apache Mesos 1.0.x as well as 0.x versions may be also affected. Description: When handling a libprocess message wrapped in an HTTP request, libprocess crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. Mitigation: pre-1.1.x users should upgrade to at least 1.1.3 1.1.x users should upgrade to 1.1.3 1.2.x users should upgrade to 1.2.2 1.3.0 users should upgrade to 1.3.1 1.4.0-dev users should obtain Mesos 1.4.0 Credit: This issue was discovered by Lyon Yang and Jeremy Heng Alex on behalf of Mesos PMC
Current thread:
- CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path. Alex R (Sep 26)