On Fri, 2013-02-15 at 08:56 +0100, Josip Rodin wrote: > > I appear to be experiencing a serious problem with a 768 MB RAM Xen domU > > machine running an NFS client - every now and then (for months now), often > > in the middle of the night, it enters some kind of a broken state where a > > few semi-random processes (mainly apache2's and vsftpd's which are told to > > serve files from the NFS mount) [...] > I caught it earlier just now, at: > > [950084.590733] active_anon:2805 inactive_anon:11835 isolated_anon:0 > [950084.590735] active_file:76 inactive_file:516 isolated_file:32 > [950084.590737] unevictable:783 dirty:1 writeback:0 unstable:0 > [950084.590739] free:26251 slab_reclaimable:15733 slab_unreclaimable:128868 > [950084.590741] mapped:938 shmem:75 pagetables:651 bounce:0 > > And snuck in a few slabtops (even some -o invocations were getting killed, > along with my shell and pretty much everything else): [...] > 65390 65390 100% 2.06K 13338 15 426816K net_namespace [...]
Looks like CVE-2011-2189, for which there was a fix/workaround in:
vsftpd (2.3.2-3+squeeze2) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Disable network isolation due to a problem with cleaning up network
namespaces fast enough in kernels < 2.6.35 (CVE-2011-2189).
Thanks Ben Hutchings for the patch!
* Fix possible DoS via globa expressions in STAT commands by
limiting the matching loop (CVE-2011-0762; Closes: #622741).
-- Nico Golde <n...@debian.org> Wed, 07 Sep 2011 20:39:59 +0000
Do you have an old version of vsftpd, or perhaps an upstream version
which doesn't include the workaround?
Anyway, I'm closing the bug report; please don't hijack closed bugs.
Ben.
--
Ben Hutchings
Computers are not intelligent. They only think they are.
signature.asc
Description: This is a digitally signed message part
