From above URL: The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export. ---- Affected versions: >= 2.9.22 && <= 3.3 Versions in tree: 2.9.22 (stable) (vulnerable) 2.9.23 (stable) (vulnerable) 2.9.24 (stable) (vulnerable) 2.9.25 (stable) (vulnerable) 3.0 (unstable) (vulnerable) 3.1.1 (unstable) (vulnerable) 3.2 (stable) (vunlerable) 3.3 (unstable) (vulnerable) https://github.com/yoe/nbd/commit/741495cb08503fd32a9d22648e63b64390c601f4 http://www.openwall.com/lists/oss-security/2015/05/21/5 https://www.debian.org/security/2015/dsa-3271 Debian have backported the fix to 3.2.4 in their oldstable. I am unsure if it is useful to extract it, given the amount of successive versions after 3.3 and various old versions in our tree. Reproducible: Always
Another DoS (CVE-2015-0847) to the OP. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0847 --- nbd-server.c in Network Block Device (nbd-server) before 3.11 does not properly handle signals, which allows remote attackers to cause a denial of service (deadlock) via unspecified vectors. --- Versions affected: < 3.11 https://www.debian.org/security/2015/dsa-3271 (as above) Debian have backported a fix to 3.2.4, 3.8.4, and 3.10.1. It is possible for these to be extracted if the maintainer decides which of these versions will be purged from the tree given the vulnerabilities reported in the previous comment.
3.11 is in our tree already. marking it stable should be fine.
(In reply to SpanKY from comment #2) > 3.11 is in our tree already. marking it stable should be fine. Thanks. Arches, please test and mark stable =sys-block/nbd-3.11 Target KEYWORDS="~alpha amd64 arm ~ia64 ppc ppc64 ~sparc x86"
Stable for PPC64.
amd64 stable
x86 stable
arm stable
CVE-2015-0847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0847): nbd-server.c in Network Block Device (nbd-server) before 3.11 does not properly handle signals, which allows remote attackers to cause a denial of service (deadlock) via unspecified vectors.
CVE-2013-7441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7441): The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export.
ppc stable. Maintainer(s), please cleanup. Security, please vote.
Maintainer(s), Thank you for you for cleanup. Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No
GLSA Vote: No
Ping on cleanup.
Cleanup handled, closing.