[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malfor
From: Alex R <alexr () apache ! org>
Date: 2018-09-13 14:52:53
Message-ID: CAPNiXbG8-Z7BC=pts=EigRo0yNnvFU+GV6pBNQhKt9HpxFfu2g () mail ! gmail ! com
[Download RAW message or body]
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Mesos 1.4.0 to 1.5.0
The unsupported Apache Mesos pre-1.4.0 releases may be also affected.
Description:
When parsing a malformed JSON payload, libprocess might crash due to
an uncaught exception. Parsing chunked HTTP requests with trailers
can lead to a libprocess crash too because of the mistakenly planted
assertion. A malicious actor can therefore cause a denial of service
of Mesos masters rendering the Mesos-controlled cluster inoperable.
Mitigation:
pre-1.4.x users should upgrade to at least 1.4.2
1.4.x users should upgrade to 1.4.2
1.5.0 users should upgrade to 1.5.1
1.6.0-dev users should obtain Mesos 1.6.0 or later
Credit:
This issue was discovered by Lyon Yang (@l0Op3r), Jeremy Heng
(@nn\_amon) and Quan Yang (@quanyang).
Alex on behalf of Mesos PMC.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic