Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPNiXbGAjOKHZH02R+T5HbtXs0F8OLbPz=SZrG4G+ZqgX--wBA@mail.gmail.com>
Date: Tue, 26 Sep 2017 16:53:53 +0200
From: Alex R <alexr@...che.org>
To: dev <dev@...os.apache.org>, user <user@...os.apache.org>, 
	Amon Flair <amon@...dynarwhals.org>, Lyon Yang <lyon.yang.s@...il.com>, 
	security <security@...che.org>, oss-security@...ts.openwall.com
Subject: CVE-2017-9790: Libprocess might crash when decoding an HTTP request
 with absent path.

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Mesos 1.1.0 to 1.3.0
The unsupported Apache Mesos 1.0.x as well as 0.x versions may be also
affected.

Description:
When handling a libprocess message wrapped in an HTTP request, libprocess
crashes if the request path is empty, because the parser assumes the request
path always starts with '/'. A malicious actor can therefore cause a denial
of service of Mesos masters rendering the Mesos-controlled cluster
inoperable.

Mitigation:
pre-1.1.x users should upgrade to at least 1.1.3
1.1.x users should upgrade to 1.1.3
1.2.x users should upgrade to 1.2.2
1.3.0 users should upgrade to 1.3.1
1.4.0-dev users should obtain Mesos 1.4.0

Credit:
This issue was discovered by Lyon Yang and Jeremy Heng

Alex on behalf of Mesos PMC

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.