On Wed, 2015-07-22 at 20:47 +0200, Christian Heimes wrote:
> On 2015-07-22 20:38, Nathaniel McCallum wrote:
> > On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
> > > On 2015-07-22 20:23, Nathaniel McCallum wrote:
> > > > Related: CVE-2015-5159
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1245200
> > >
> > > The patch prevents a flood attack but I consider more a
> > > workaround
> > > than
> > > a solution. I'll update kdcproxy tomorrow.
> > The problem is that while we can provide a sane default, special
> > applications might require different sizes (either smaller or
> > larger).
> > I think this fix is acceptable since it keeps the solution entirely
> > within the configuration domain.
> The python-kdcproxy package may be used by other parties with
> web servers. I also like to see a countermeasure in kdcproxy. Other
> installations should not fall victim to the same issue.
> How about we set the default maximum size to a rather large value
> 5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very,
> very large for a Kerberos request but still prevents DoS and OOM
Fine by me.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code