On 8/7/24 19:43, Eric Blake wrote:
> v3 was here:
> https://lists.gnu.org/archive/html/qemu-devel/2024-08/msg00818.html
>
> since then:
> - re-add a minor patch from v2 (now patch 1)
> - refactor how the client opaque pointer is handled (patch 2)
> - add two new patches to prevent malicious clients from consuming
> inordinate resources: change the default max-connections from
> unlimited to capped at 100 (patch 3), and add code to kill any
> client that takes longer than 10 seconds after connect to reach
> NBD_OPT_GO (patch 4) [Dan]
> - squash the connection list handling into a single patch (5) [Dan]
> - two new additional patches for reverting back to 9.0 behavior for
> integration testing purposes; I'm okay if these last two miss 9.1
>
> Eric Blake (7):
> nbd: Minor style fixes
> nbd/server: Plumb in new args to nbd_client_add()
> nbd/server: CVE-2024-7409: Change default max-connections to 100
> nbd/server: CVE-2024-7409: Drop non-negotiating clients
> nbd/server: CVE-2024-7409: Close stray client sockets at shutdown
> qemu-nbd: Allow users to adjust handshake limit
> nbd/server: Allow users to adjust handshake limit in QMP
>
> docs/tools/qemu-nbd.rst | 5 +++
> qapi/block-export.json | 18 +++++++---
> include/block/nbd.h | 20 +++++++++--
> block/monitor/block-hmp-cmds.c | 3 +-
> blockdev-nbd.c | 62 +++++++++++++++++++++++++++++++---
> nbd/server.c | 51 +++++++++++++++++++++++++---
> qemu-nbd.c | 44 ++++++++++++++++--------
> nbd/trace-events | 1 +
> 8 files changed, 173 insertions(+), 31 deletions(-)
>
should this go to stable too? 7.5 score is high enough.
We have had CVE-2024-4467
<https://security-tracker.debian.org/tracker/CVE-2024-4467> with 7.8
merged to stables too.
Den