CVE-2015-7944

NameCVE-2015-7944
DescriptionThe RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2, when used in SSL mode, allows remote attackers to cause a denial of service (resource consumption) via SSL parameter renegotiation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3431-1
NVD severitymedium (attack range: remote)
Debian Bugs809537

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ganeti (PTS)wheezy, wheezy (security)2.5.2-1+deb7u2fixed
jessie (security), jessie2.12.4-1+deb8u3fixed
stretch2.15.2-7+deb9u1fixed
buster, sid2.15.2-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ganetisource(unstable)2.15.2-1medium809537
ganetisourcejessie2.12.4-1+deb8u2mediumDSA-3431-1
ganetisourcesqueeze(unfixed)end-of-life
ganetisourcewheezy2.5.2-1+deb7u1mediumDSA-3431-1

Notes

[squeeze] - ganeti <end-of-life> (Depends on KVM/Xen, unsupported in Squeeze LTS)
http://www.ocert.org/advisories/ocert-2015-012.html
http://git.ganeti.org/?p=ganeti.git;a=commit;h=201fcb916b8164c78f4ed8e0c9cfc0227a78684c

Search for package or bug name: Reporting problems