Re: [Ganglia-developers] CVE

2009-01-26 Thread Stu Teasdale
On Sun, Jan 25, 2009 at 09:49:15PM +, Carlo Marcelo Arenas Belon wrote:
 On Fri, Jan 23, 2009 at 08:52:45AM -0700, Brad Nicholes wrote:
  
  Are we finished hashing this whole patch out yet?
 
 haven't seen many comments from other testers of the simplified patch,
 but considering that it has been included already in the 3.1.1 stable
 package from Gentoo x86, I'd assume it is hashed out already.
 
 Fedora and Debian are also testing patches for their packages AFAIK.
Patched 2.5.7 packages for debian hve gone in to both stable and testing 
now. I'll upload a patched 3.1.1 release this week (unless 3.1.2 is 
coming very soon?).

Stu
-- 
From the prompt of Stu Teasdale

Avoid the Gates of Hell.  Use Linux
(Unknown source)

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Ganglia-developers mailing list
Ganglia-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ganglia-developers


Re: [Ganglia-developers] CVE

2009-01-25 Thread Carlo Marcelo Arenas Belon
On Fri, Jan 23, 2009 at 08:52:45AM -0700, Brad Nicholes wrote:
 
 Are we finished hashing this whole patch out yet?

haven't seen many comments from other testers of the simplified patch,
but considering that it has been included already in the 3.1.1 stable
package from Gentoo x86, I'd assume it is hashed out already.

Fedora and Debian are also testing patches for their packages AFAIK.

 Are we ready to apply the current patch to 3.1.2 and release or is there
 still more discussion going on?

guess it depends on how you define current patch as the backported
patch has still one hunk that was originally meant to be for gmetad's
multi request proposed feature that is still under discussion and hasn't
been committed yet (a second hunk was reverted already as it showed a
regression in the web frontend while testing the proposed Fedora package
update that was using it).

in any case to avoid further delays (even if IMHO not ideal, but better
than the current situation) committed the backported patch in r1959 for
ganglia-3.1.

also committed r1960 to make the new introduced feature (returning and
empty response instead of the full tree if the request to the interactive
port is invalid) consistent.

Carlo

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Ganglia-developers mailing list
Ganglia-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ganglia-developers


Re: [Ganglia-developers] CVE

2009-01-23 Thread Spike Spiegel
On Fri, Jan 23, 2009 at 11:52 PM, Brad Nicholes bnicho...@novell.com wrote:

  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0242

 Ganglia 3.1.1 allows remote attackers to cause a denial of service via
 a request to the gmetad service with a path does not exist, which causes
 Ganglia to (1) perform excessive CPU computation and (2) send the entire
 tree, which consumes network bandwidth.

 this one is IMHO invalid as the CPU and bandwith costs for this in the
 current code are constant and the wording quoted was most likely taken
 out of context as it referred originally to a contribution proposal
 which has not been yet committed.


agreed, all the advisories I've seen around have misquoted my original
report and missed the link to the feature proposal. As it stands this
CVE is invalid.


 Are we finished hashing this whole patch out yet?  Are we ready to apply the 
 current patch to 3.1.2 and release or is there still more discussion going on?

as far as I'm concerned #223 is resolved and good to go.

thanks everybody.

-- 
Behind every great man there's a great backpack - B.

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Ganglia-developers mailing list
Ganglia-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ganglia-developers