On Fri, Jan 23, 2009 at 10:36:19AM +0100, Ramon Bastiaans wrote: > I saw this pass by on my RSS feeds, not sure if you guys are aware of > these yet?
yes, they were reported originally here : http://www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg04929.html > * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0241 > > "Stack-based buffer overflow in the process_path function in > gmetad/server.c in Ganglia 3.1.1 allows remote attackers to cause a > denial of service (crash) via a request to the gmetad service with a > long pathname." this was is being tracked in : http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=223 and affects all versions of gmetad older than 2.5.4 (including 2.5.7, 3.0.7 and 3.1.1), patch is available in the bug report and will be included as part of 3.1.2 and 3.0.8 > * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0242 > > "Ganglia 3.1.1 allows remote attackers to cause a denial of service via > a request to the gmetad service with a path does not exist, which causes > Ganglia to (1) perform excessive CPU computation and (2) send the entire > tree, which consumes network bandwidth." this one is IMHO invalid as the CPU and bandwith costs for this in the current code are constant and the wording quoted was most likely taken out of context as it referred originally to a contribution proposal which has not been yet committed. Carlo ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
