You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Andrew Stitcher (JIRA)" <ji...@apache.org> on 2012/05/25 18:21:22 UTC
[jira] [Created] (QPID-4021) Badly behaved clients can still clog
up the broker
Andrew Stitcher created QPID-4021:
-------------------------------------
Summary: Badly behaved clients can still clog up the broker
Key: QPID-4021
URL: https://issues.apache.org/jira/browse/QPID-4021
Project: Qpid
Issue Type: Bug
Reporter: Andrew Stitcher
The recent code that timeouts out new connections that have not negotiated the protocol within (a default) 2 seconds still leaves a gap where badly behaved applications can tie up the broker.
The timeout should really be till either heartbeats are activated in which case they will take over the role of timing out idle connections. Or until the connection is authenticated in which case the policy on admitting users should take care of limiting the connections.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Commented] (QPID-4021) Badly behaved clients can still clog
up the broker
Posted by "Andrew Stitcher (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283723#comment-13283723 ]
Andrew Stitcher commented on QPID-4021:
---------------------------------------
This is CVE-2012-2145
> Badly behaved clients can still clog up the broker
> --------------------------------------------------
>
> Key: QPID-4021
> URL: https://issues.apache.org/jira/browse/QPID-4021
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.17
> Reporter: Andrew Stitcher
>
> The recent code that timeouts out new connections that have not negotiated the protocol within (a default) 2 seconds still leaves a gap where badly behaved applications can tie up the broker.
> The timeout should really be till either heartbeats are activated in which case they will take over the role of timing out idle connections. Or until the connection is authenticated in which case the policy on admitting users should take care of limiting the connections.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org
[jira] [Updated] (QPID-4021) Badly behaved clients can still clog
up the broker
Posted by "Andrew Stitcher (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Stitcher updated QPID-4021:
----------------------------------
Component/s: C++ Broker
Affects Version/s: 0.17
> Badly behaved clients can still clog up the broker
> --------------------------------------------------
>
> Key: QPID-4021
> URL: https://issues.apache.org/jira/browse/QPID-4021
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.17
> Reporter: Andrew Stitcher
>
> The recent code that timeouts out new connections that have not negotiated the protocol within (a default) 2 seconds still leaves a gap where badly behaved applications can tie up the broker.
> The timeout should really be till either heartbeats are activated in which case they will take over the role of timing out idle connections. Or until the connection is authenticated in which case the policy on admitting users should take care of limiting the connections.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org