[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PULL 5/5] nbd/server: CVE-2024-7409: Close stray clients at server-
|
From: |
Eric Blake |
|
Subject: |
Re: [PULL 5/5] nbd/server: CVE-2024-7409: Close stray clients at server-stop |
|
Date: |
Mon, 12 Aug 2024 09:44:00 -0500 |
|
User-agent: |
NeoMutt/20240425 |
On Sun, Aug 11, 2024 at 11:02:52AM GMT, Michael Tokarev wrote:
> 09.08.2024 00:53, Eric Blake wrote:
> > A malicious client can attempt to connect to an NBD server, and then
> > intentionally delay progress in the handshake, including if it does
> > not know the TLS secrets. Although the previous two patches reduce
>
> Eric, from the 5-patch series, only this last patch is Cc'd for stable,
> but it obviously does not work without all 4 previous patches. Do you
> mean whole series should be applied to -stable?
>
> I picked up patches 2-5 for 7.2 and 9.0.
You are correct that patch 5 in isolation won't work due to missing
pre-reqs, but also that 1 is fluff that doesn't need backporting; my
apologies for not more judiciously adding the cc to all 4 patches
worth the backport effort. I'm in the middle of efforts to backport
only 2-5 to various RHEL releases, so your choice to do the same for
7.2 and 9.0 matches what I'm doing downstream.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc.
Virtualization: qemu.org | libguestfs.org