Summary: | <sys-block/nbd-3.11: denial of service vulnerability (CVE-2013-7441,CVE-2015-0847) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7441 | ||
Whiteboard: | B3 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2015-06-02 11:57:09 UTC
Another DoS (CVE-2015-0847) to the OP. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0847 --- nbd-server.c in Network Block Device (nbd-server) before 3.11 does not properly handle signals, which allows remote attackers to cause a denial of service (deadlock) via unspecified vectors. --- Versions affected: < 3.11 https://www.debian.org/security/2015/dsa-3271 (as above) Debian have backported a fix to 3.2.4, 3.8.4, and 3.10.1. It is possible for these to be extracted if the maintainer decides which of these versions will be purged from the tree given the vulnerabilities reported in the previous comment. 3.11 is in our tree already. marking it stable should be fine. (In reply to SpanKY from comment #2) > 3.11 is in our tree already. marking it stable should be fine. Thanks. Arches, please test and mark stable =sys-block/nbd-3.11 Target KEYWORDS="~alpha amd64 arm ~ia64 ppc ppc64 ~sparc x86" Stable for PPC64. amd64 stable x86 stable arm stable CVE-2015-0847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0847): nbd-server.c in Network Block Device (nbd-server) before 3.11 does not properly handle signals, which allows remote attackers to cause a denial of service (deadlock) via unspecified vectors. CVE-2013-7441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7441): The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export. ppc stable. Maintainer(s), please cleanup. Security, please vote. Maintainer(s), Thank you for you for cleanup. Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No GLSA Vote: No Ping on cleanup. Cleanup handled, closing. |