On 2018/03/23 08:25, Jeremie Courreges-Anglas wrote: > On Thu, Mar 22 2018, Stuart Henderson <s...@spacehopper.org> wrote: > > OK to commit this pre-6.3? > > > > CVE-2018-6532: By sending specially crafted requests, authenticated and > > unauthenticated, an attacker can exhaust a lot of memory on the server > > side, triggering the OOM killer. > > > > CVE-2018-6534: By sending specially crafted messages, an attacker can > > cause a NULL pointer dereference, which can cause Icinga2 to crash. > > > > CVE-2018-6535: Lack of a constant-time password comparison function can > > disclose the password to an attacker. > > > > Detailed write-up and simple crashers for the above at > > https://hansmi.ch/articles/2018-03-icinga2-security > > > > (CVE-2017-16933 and CVE-2018-6536 also in this release relate to the > > init scripts that we don't use). > > The diff looks good ports-wise, ok jca@ fwiw
Thanks. BTW: I can't handle this in 6.2-stable, can't update from 2.7.x to 2.8.x there (schema update means it's not a drop-in replacment), and there are a lot more files patched than I have time to handle backporting right now. I can review if somebody else wants to do that though.
