Josip Rodin
2011-Jun-09 09:18 UTC
[Pkg-xen-devel] Bug#571634: correct link to patch, another tangled issue in current stable
retitle 571634 xen-utils-common vif-common.sh still using --physdev-out, --state found 571634 4.0.0-1 thanks Hi, That link to upstream patch in the last message is apparently broken, a working one is: http://xenbits.xen.org/hg/xen-unstable.hg/rev/b0fe8260cefa but also more importantly for the current stable package: http://xenbits.xen.org/hg/xen-4.0-testing.hg/rev/af7110f4f803 Because the state module is activated, conntrack kicks in, and eventually a high amount of traffic will cause the following to happen on dom0: Jun 9 09:24:45 crux kernel: [27998.532343] nf_conntrack: table full, dropping packet. Jun 9 09:24:54 crux kernel: [28007.820634] nf_conntrack: table full, dropping packet. Jun 9 09:24:54 crux kernel: [28007.820651] nf_conntrack: table full, dropping packet. That could almost qualify as an excessive susceptibility to DoS, i.e. a security issue. Please fix both bugs in stable. TIA. -- 2. That which causes joy or happiness.
Debian Bug Tracking System
2011-Jun-09 09:21 UTC
[Pkg-xen-devel] Processed: correct link to patch, another tangled issue in current stable
Processing commands for control at bugs.debian.org:> retitle 571634 xen-utils-common vif-common.sh still using --physdev-out, --stateBug #571634 [xen-utils-common] xen-utils-common - using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic Changed Bug title to 'xen-utils-common vif-common.sh still using --physdev-out, --state' from 'xen-utils-common - using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic'> found 571634 4.0.0-1Bug #571634 [xen-utils-common] xen-utils-common vif-common.sh still using --physdev-out, --state Bug Marked as found in versions xen-common/4.0.0-1.> thanksStopping processing here. Please contact me if you need assistance. -- 571634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634 Debian Bug Tracking System Contact owner at bugs.debian.org with problems
Josip Rodin
2011-Jun-09 09:32 UTC
[Pkg-xen-devel] Bug#571634: correct link to patch, another tangled issue in current stable
severity 571634 serious thanks On Thu, Jun 09, 2011 at 11:18:30AM +0200, Josip Rodin wrote:> retitle 571634 xen-utils-common vif-common.sh still using --physdev-out, --state > found 571634 4.0.0-1 > thanks > > Hi, > > That link to upstream patch in the last message is apparently broken, > a working one is: > > http://xenbits.xen.org/hg/xen-unstable.hg/rev/b0fe8260cefa > > but also more importantly for the current stable package: > > http://xenbits.xen.org/hg/xen-4.0-testing.hg/rev/af7110f4f803 > > Because the state module is activated, conntrack kicks in, and eventually > a high amount of traffic will cause the following to happen on dom0: > > Jun 9 09:24:45 crux kernel: [27998.532343] nf_conntrack: table full, dropping packet. > Jun 9 09:24:54 crux kernel: [28007.820634] nf_conntrack: table full, dropping packet. > Jun 9 09:24:54 crux kernel: [28007.820651] nf_conntrack: table full, dropping packet. > > That could almost qualify as an excessive susceptibility to DoS, i.e. a security > issue. > > Please fix both bugs in stable. TIA.In fact an analogous issue in libvirt was treated by others as a security issue: http://wiki.libvirt.org/page/Networking#Creating_network_initscripts links to https://bugzilla.redhat.com/show_bug.cgi?id=512206 It really should be fixed. -- 2. That which causes joy or happiness.
Apparently Analagous Threads
- Bug#571634: xen-utils-common - using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic
- Processed: forcibly merging 571634 639942
- Processed: fixed 571634 in 4.1.0~rc6-1
- Bug#571634: xen-utils-common - using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic
- Bug#591456: ( fără subiect)