[Pkg-xen-devel] Bug#571634: correct link to patch, another tangled issue in current stable

Josip Rodin joy at debbugs.entuzijast.net
Thu Jun 9 09:32:31 UTC 2011


severity 571634 serious
thanks

On Thu, Jun 09, 2011 at 11:18:30AM +0200, Josip Rodin wrote:
> retitle 571634 xen-utils-common vif-common.sh still using --physdev-out, --state
> found 571634 4.0.0-1
> thanks
> 
> Hi,
> 
> That link to upstream patch in the last message is apparently broken,
> a working one is:
> 
> http://xenbits.xen.org/hg/xen-unstable.hg/rev/b0fe8260cefa
> 
> but also more importantly for the current stable package:
> 
> http://xenbits.xen.org/hg/xen-4.0-testing.hg/rev/af7110f4f803
> 
> Because the state module is activated, conntrack kicks in, and eventually
> a high amount of traffic will cause the following to happen on dom0:
> 
> Jun  9 09:24:45 crux kernel: [27998.532343] nf_conntrack: table full, dropping packet.
> Jun  9 09:24:54 crux kernel: [28007.820634] nf_conntrack: table full, dropping packet.
> Jun  9 09:24:54 crux kernel: [28007.820651] nf_conntrack: table full, dropping packet.
> 
> That could almost qualify as an excessive susceptibility to DoS, i.e. a security
> issue.
> 
> Please fix both bugs in stable. TIA.

In fact an analogous issue in libvirt was treated by others
as a security issue:
http://wiki.libvirt.org/page/Networking#Creating_network_initscripts
links to
https://bugzilla.redhat.com/show_bug.cgi?id=512206

It really should be fixed.

-- 
     2. That which causes joy or happiness.





More information about the Pkg-xen-devel mailing list