On Thu, Nov 20, 2008 at 01:57:54PM -0600, Raphael Geissert wrote:
> Hi,
>
> 2008/11/20 Nico Golde <[EMAIL PROTECTED]>:
> > Hi,
> > * Raphael Geissert <[EMAIL PROTECTED]> [2008-11-20 09:32]:
> >> The following CVE (Common Vulnerabilities & Exposures) id was published for
> >> msp-webserver.
> >>
> >> CVE-2008-5160[1]:
> > [...]
> >
> > Did you manage to reproduce that? Not reproducible for me
> > with the unstable version.
>
> No, I didn't have time to setup the server and attempt to reproduce it.
> But I did check the changelog and the patches being applied and found
> nothing relevant that could "fix" or prevent the issue.
>
> I have just tried to reproduce it and I succeeded.
>
> I made four fruitful attempts:
> 1. original exploit: nothing.
> 2. 200 requests: server segfaulted
> 3. 2000 requests: too many childs are spawned and they start eating
> the memory almost by 100MBs per sec.
> 4. 3000 requests: same as with the 2000 requests.
>
> Note that I had to run the exploit a couple of times to reproduce the
> issue triggered at 3, and when I tried to reproduce the segfault under
> gdb to get a backtrace I didn't succeed to reproduce it.
So let's just drop it from Lenny. We don't need the 40th minimal web
server in the archive, especially not if it crashes under load.
Such errors in fringe servers are not DoS vulnerabilities, but regular
bugs. We're not talking about Apache here.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
