[<prev] [next>] [<thread-prev] [month] [year] [list]
Date: Tue, 3 Feb 2009 16:39:16 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: coley@...us.mitre.org
Subject: Re: CVE request - ganglia
updated to a "reject".
======================================================
Name: CVE-2009-0242
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0242
Reference: MLIST:[Ganglia-developers] 20090113 patches for: [Sec] Gmetad server BoF and network overload + [Feature] multiple requests per conn on interactive port
Reference: URL:http://www.mail-archive.com/ganglia-developers@...ts.sourceforge.net/msg04929.html
Reference: MLIST:[Ganglia-developers] 20090123 Re: CVE
Reference: URL:http://www.mail-archive.com/ganglia-developers@...ts.sourceforge.net/msg04969.html
Reference: MLIST:[Ganglia-developers] 20090123 Re: CVE
Reference: URL:http://www.mail-archive.com/ganglia-developers@...ts.sourceforge.net/msg04973.html
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0242#c1
Reference: XF:ganglia-gmetad-dos(48166)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48166
** REJECT **
gmetad in Ganglia 3.1.1, when supporting multiple requests per
connection on an interactive port, allows remote attackers to cause a
denial of service via a request to the gmetad service with a path does
not exist, which causes Ganglia to (1) perform excessive CPU
computation and (2) send the entire tree, which consumes network
bandwidth. NOTE: the vendor and original researcher have disputed
this issue, since legitimate requests can generate the same amount of
resource consumption. CVE concurs with the dispute, so this
identifier should not be used.
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux