Dear Maintainer, during the last days I did some testing around this bug and hope that my findings help to fix it.
Root Cause ======= It looks like the bug is caused by 2 patches in order to fix CVE-2017-9524: - nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch - nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch Both patches were already included in version 2.8+dfsg-6+deb9u1, but not activated yet. This happened in version 2.8+dfsg-6+deb9u2. Versions affected by this bug (broken) ======================= - 2.8+dfsg-6+deb9u2 - 2.8+dfsg-6+deb9u3 - 2.8+dfsg-6+deb9u4 - 2.8+dfsg-6+deb9u5 ... (only the listed versions were tested) Versions not affected (OK): ================ - 2.8+dfsg-6+deb9u1 ... (older versions were not tested) Remark: In the following tests the live migration was executed several times in both directions. Test 1: ==== - git clone https://salsa.debian.org/qemu-team/qemu - checkout tag 2.8+dfsg-6+deb9u1 - rebuild packages without any change - install packages on two Debian Stretch Servers together with libvirt 3.0.0-4+deb9u3 - execute a live migration including storage with following command: # time sudo virsh migrate --live --desturi qemu+ssh://destserver/system --copy-storage-all --persistent --verbose --undefinesource --domain pxe1 => Success Test 2: ==== - checkout tag 2.8+dfsg-6+deb9u2 - disable both CVE-2017-9524 patches - rebuild packages - install packages on two Debian Stretch Servers together with libvirt 3.0.0-4+deb9u3 - execute a live migration including storage with following command: # time sudo virsh migrate --live --desturi qemu+ssh://destserver/system --copy-storage-all --persistent --verbose --undefinesource --domain pxe1 => Success Test 3: ==== - checkout tag 2.8+dfsg-6+deb9u5 - disable both CVE-2017-9524 patches - rebuild packages - install packages on two Debian Stretch Servers together with libvirt 3.0.0-4+deb9u3 - execute a live migration including storage with following command: # time sudo virsh migrate --live --desturi qemu+ssh://destserver/system --copy-storage-all --persistent --verbose --undefinesource --domain pxe1 => Success Conclusion ======= Obviously, reverting the CVE-2017-9524 patches would just be a quick fix re-opening security issues. I can help testing. Unfortunately, anything else is beyond my capabilities. Regards Berni
