On Wed, 2015-07-22 at 20:47 +0200, Christian Heimes wrote: > On 2015-07-22 20:38, Nathaniel McCallum wrote: > > On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote: > > > On 2015-07-22 20:23, Nathaniel McCallum wrote: > > > > Related: CVE-2015-5159 > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1245200 > > > > > > The patch prevents a flood attack but I consider more a > > > workaround > > > than > > > a solution. I'll update kdcproxy tomorrow. > > > > The problem is that while we can provide a sane default, special > > applications might require different sizes (either smaller or > > larger). > > I think this fix is acceptable since it keeps the solution entirely > > within the configuration domain. > > The python-kdcproxy package may be used by other parties with > different > web servers. I also like to see a countermeasure in kdcproxy. Other > installations should not fall victim to the same issue. > > How about we set the default maximum size to a rather large value > (like > 5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very, > very large for a Kerberos request but still prevents DoS and OOM > killer
Fine by me. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code