On Thu, Jan 22, 2009 at 10:01:13PM +0000, Stu Teasdale wrote: > > "I can see that the patch was adjusted several times and the current > version still has the code that sends the entire tree, could that > somehow be used for a DoS attack?"
sending the entire tree through the network is also triggered when a request is received to the non-interactive port (TCP/8651) and which is under the same ACL setup and accessible to any "attacker". the original report was sent to the developer mailing list together with a proposal to add a feature which will loop through several provided paths and therefore execute the code that dumps the whole tree several times in a tight loop. references to a DoS posibility were done linked to that code (which does not exist in the packaged by debian versions of ganglia) and that hasn't been committed either and therefore this bug report focuses on the buffer overflow instead as defined in AVE-2009-0241. Carlo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
