On Fri, Jan 23, 2009 at 11:52 PM, Brad Nicholes <bnicho...@novell.com> wrote:

>>>  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0242
>>> "Ganglia 3.1.1 allows remote attackers to cause a denial of service via
>>> a request to the gmetad service with a path does not exist, which causes
>>> Ganglia to (1) perform excessive CPU computation and (2) send the entire
>>> tree, which consumes network bandwidth."
>> this one is IMHO invalid as the CPU and bandwith costs for this in the
>> current code are constant and the wording quoted was most likely taken
>> out of context as it referred originally to a contribution proposal
>> which has not been yet committed.

agreed, all the advisories I've seen around have misquoted my original
report and missed the link to the feature proposal. As it stands this
CVE is invalid.

> Are we finished hashing this whole patch out yet?  Are we ready to apply the 
> current patch to 3.1.2 and release or is there still more discussion going on?

as far as I'm concerned #223 is resolved and good to go.

thanks everybody.

"Behind every great man there's a great backpack" - B.

This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
Ganglia-developers mailing list

Reply via email to