mbox

[PULL,0/5] NBD: fix CVE-2024-7409 for 9.1

Message ID 20240808215529.1065336-7-eblake@redhat.com (mailing list archive)
State New, archived
Headers show

Pull-request

https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2024-08-08

Message

Eric Blake Aug. 8, 2024, 9:53 p.m. UTC
The following changes since commit 75c7f574035622798e9361a942bdfbb0af930f0e:

  Merge tag 'pull-hex-20240807' of https://github.com/quic/qemu into staging (2024-08-08 16:08:18 +1000)

are available in the Git repository at:

  https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2024-08-08

for you to fetch changes up to 3e7ef738c8462c45043a1d39f702a0990406a3b3:

  nbd/server: CVE-2024-7409: Close stray clients at server-stop (2024-08-08 16:34:04 -0500)

----------------------------------------------------------------
NBD patches for 2024-08-08

- plug CVE-2024-7409, a DoS attack exploiting nbd-server-stop

----------------------------------------------------------------
Eric Blake (5):
      nbd: Minor style and typo fixes
      nbd/server: Plumb in new args to nbd_client_add()
      nbd/server: CVE-2024-7409: Cap default max-connections to 100
      nbd/server: CVE-2024-7409: Drop non-negotiating clients
      nbd/server: CVE-2024-7409: Close stray clients at server-stop

 qapi/block-export.json         |  4 ++--
 include/block/nbd.h            | 18 +++++++++++++++-
 block/monitor/block-hmp-cmds.c |  3 ++-
 blockdev-nbd.c                 | 47 +++++++++++++++++++++++++++++++++++++++--
 nbd/server.c                   | 48 ++++++++++++++++++++++++++++++++++++++----
 qemu-nbd.c                     |  7 ++++--
 nbd/trace-events               |  1 +
 7 files changed, 116 insertions(+), 12 deletions(-)

Comments

Richard Henderson Aug. 10, 2024, 11:39 a.m. UTC | #1
On 8/9/24 07:53, Eric Blake wrote:
> The following changes since commit 75c7f574035622798e9361a942bdfbb0af930f0e:
> 
>    Merge tag 'pull-hex-20240807' ofhttps://github.com/quic/qemu into staging (2024-08-08 16:08:18 +1000)
> 
> are available in the Git repository at:
> 
>    https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2024-08-08
> 
> for you to fetch changes up to 3e7ef738c8462c45043a1d39f702a0990406a3b3:
> 
>    nbd/server: CVE-2024-7409: Close stray clients at server-stop (2024-08-08 16:34:04 -0500)
> 
> ----------------------------------------------------------------
> NBD patches for 2024-08-08
> 
> - plug CVE-2024-7409, a DoS attack exploiting nbd-server-stop

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.

r~