Message ID | 20240807174943.771624-9-eblake@redhat.com |
---|---|
Headers | show |
Series | CVE-2024-7409 | expand |
On 8/7/24 19:43, Eric Blake wrote: > v3 was here: > https://lists.gnu.org/archive/html/qemu-devel/2024-08/msg00818.html > > since then: > - re-add a minor patch from v2 (now patch 1) > - refactor how the client opaque pointer is handled (patch 2) > - add two new patches to prevent malicious clients from consuming > inordinate resources: change the default max-connections from > unlimited to capped at 100 (patch 3), and add code to kill any > client that takes longer than 10 seconds after connect to reach > NBD_OPT_GO (patch 4) [Dan] > - squash the connection list handling into a single patch (5) [Dan] > - two new additional patches for reverting back to 9.0 behavior for > integration testing purposes; I'm okay if these last two miss 9.1 > > Eric Blake (7): > nbd: Minor style fixes > nbd/server: Plumb in new args to nbd_client_add() > nbd/server: CVE-2024-7409: Change default max-connections to 100 > nbd/server: CVE-2024-7409: Drop non-negotiating clients > nbd/server: CVE-2024-7409: Close stray client sockets at shutdown > qemu-nbd: Allow users to adjust handshake limit > nbd/server: Allow users to adjust handshake limit in QMP > > docs/tools/qemu-nbd.rst | 5 +++ > qapi/block-export.json | 18 +++++++--- > include/block/nbd.h | 20 +++++++++-- > block/monitor/block-hmp-cmds.c | 3 +- > blockdev-nbd.c | 62 +++++++++++++++++++++++++++++++--- > nbd/server.c | 51 +++++++++++++++++++++++++--- > qemu-nbd.c | 44 ++++++++++++++++-------- > nbd/trace-events | 1 + > 8 files changed, 173 insertions(+), 31 deletions(-) > should this go to stable too? 7.5 score is high enough. We have had CVE-2024-4467 <https://security-tracker.debian.org/tracker/CVE-2024-4467> with 7.8 merged to stables too. Den