>>> On 1/23/2009 at 3:11 AM, in message <20090123101118.gc29...@sajinet.com.pe>, Carlo Marcelo Arenas Belon <care...@sajinet.com.pe> wrote: > On Fri, Jan 23, 2009 at 10:36:19AM +0100, Ramon Bastiaans wrote: >> I saw this pass by on my RSS feeds, not sure if you guys are aware of >> these yet? > > yes, they were reported originally here : > > > http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg04929 > .html > >> * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0241 >> >> "Stack-based buffer overflow in the process_path function in >> gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a >> denial of service (crash) via a request to the gmetad service with a >> long pathname." > > this was is being tracked in : > > http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=223 > > and affects all versions of gmetad older than 2.5.4 (including 2.5.7, > 3.0.7 and 3.1.1), patch is available in the bug report and will be > included as part of 3.1.2 and 3.0.8 > > >> * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0242 >> >> "Ganglia 3.1.1 allows remote attackers to cause a denial of service via >> a request to the gmetad service with a path does not exist, which causes >> Ganglia to (1) perform excessive CPU computation and (2) send the entire >> tree, which consumes network bandwidth." > > this one is IMHO invalid as the CPU and bandwith costs for this in the > current code are constant and the wording quoted was most likely taken > out of context as it referred originally to a contribution proposal > which has not been yet committed. >
Are we finished hashing this whole patch out yet? Are we ready to apply the current patch to 3.1.2 and release or is there still more discussion going on? Brad ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers