severity 571634 serious thanks On Thu, Jun 09, 2011 at 11:18:30AM +0200, Josip Rodin wrote: > retitle 571634 xen-utils-common vif-common.sh still using --physdev-out, > --state > found 571634 4.0.0-1 > thanks > > Hi, > > That link to upstream patch in the last message is apparently broken, > a working one is: > > http://xenbits.xen.org/hg/xen-unstable.hg/rev/b0fe8260cefa > > but also more importantly for the current stable package: > > http://xenbits.xen.org/hg/xen-4.0-testing.hg/rev/af7110f4f803 > > Because the state module is activated, conntrack kicks in, and eventually > a high amount of traffic will cause the following to happen on dom0: > > Jun 9 09:24:45 crux kernel: [27998.532343] nf_conntrack: table full, > dropping packet. > Jun 9 09:24:54 crux kernel: [28007.820634] nf_conntrack: table full, > dropping packet. > Jun 9 09:24:54 crux kernel: [28007.820651] nf_conntrack: table full, > dropping packet. > > That could almost qualify as an excessive susceptibility to DoS, i.e. a > security > issue. > > Please fix both bugs in stable. TIA.
In fact an analogous issue in libvirt was treated by others as a security issue: http://wiki.libvirt.org/page/Networking#Creating_network_initscripts links to https://bugzilla.redhat.com/show_bug.cgi?id=512206 It really should be fixed. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
