[Pkg-xen-devel] Bug#571634: correct link to patch, another tangled issue in current stable
Josip Rodin
joy at debbugs.entuzijast.net
Thu Jun 9 09:32:31 UTC 2011
severity 571634 serious
thanks
On Thu, Jun 09, 2011 at 11:18:30AM +0200, Josip Rodin wrote:
> retitle 571634 xen-utils-common vif-common.sh still using --physdev-out, --state
> found 571634 4.0.0-1
> thanks
>
> Hi,
>
> That link to upstream patch in the last message is apparently broken,
> a working one is:
>
> http://xenbits.xen.org/hg/xen-unstable.hg/rev/b0fe8260cefa
>
> but also more importantly for the current stable package:
>
> http://xenbits.xen.org/hg/xen-4.0-testing.hg/rev/af7110f4f803
>
> Because the state module is activated, conntrack kicks in, and eventually
> a high amount of traffic will cause the following to happen on dom0:
>
> Jun 9 09:24:45 crux kernel: [27998.532343] nf_conntrack: table full, dropping packet.
> Jun 9 09:24:54 crux kernel: [28007.820634] nf_conntrack: table full, dropping packet.
> Jun 9 09:24:54 crux kernel: [28007.820651] nf_conntrack: table full, dropping packet.
>
> That could almost qualify as an excessive susceptibility to DoS, i.e. a security
> issue.
>
> Please fix both bugs in stable. TIA.
In fact an analogous issue in libvirt was treated by others
as a security issue:
http://wiki.libvirt.org/page/Networking#Creating_network_initscripts
links to
https://bugzilla.redhat.com/show_bug.cgi?id=512206
It really should be fixed.
--
2. That which causes joy or happiness.
More information about the Pkg-xen-devel
mailing list