Hallo, * Helmut Grohne [Fri, Mar 03 2017, 08:53:00AM]: > Disclosure timeline > ------------------- > > Since the impact of the vulnerability is limited (its only DoS after > all) and apt-cacher-ng is likely used in access-limited environments, no > attempt at reporting it confidentially has been made. This is my first > public report about it. No CVE is allocated at the time of this writing.
I will add some mitigation code which works similar to what you have described, although more harsh (only fallocate once per file and up to a certain size, and not more turn it off per default). I am not convinced regarding the security flag, though. You simply cannot stop the local idiots from playing nasty games with a caching proxy. E.g. there are more tricks to make it download the same file multiple times and while that could probably be prevented that might break some existing usecases. Regards, Eduard. -- <Madkiss> ich hatte schon ganz vergessen, wie langsam ein 800MHz-Prozessor ist. <Madkiss> -schnarch- <hillu> Madkiss: 1GHz+-Prozessoren fallen auch nicht mit mehr als 9.81m/s²
