Your message dated Mon, 20 Oct 2008 09:32:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#502680: fixed in nfs-utils 1:1.1.2-6lenny1
has caused the Debian Bug report #502680,
regarding nfs-utils issue (CVE-2008-4552)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
502680: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502680
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: nfs-utils
Version: 1:1.1.2-6
Severity: serious
Tags: patch security pending
Owner: Steffen Joeris <[EMAIL PROTECTED]>
On Sun, Oct 19, 2008 at 11:57:28AM +1100, Steffen Joeris wrote:
>Hi
>
>I am currently looking at the new nfs-utils issue[0]. Red Hat has more
>information in their bugreport[1] including the patch. I am trying to
>figure out the severity of this issue. Now, I am not using nfs in any
>complex environment, so I am not sure. From what I can read in the
>bugreport, it only means that the netgroup privileges are ignored, thus
>additional privileges you should have are missing. Therefore, it
>doesn't sound too severe, but I am probably missing something. What's
>your opinion on the issue?
>
>(BTW it's fixed in unstable, but apparently not in lenny or etch).
>
>Cheers Steffen
>
>[0]:
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4552://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4552
>[1]: https://bugzilla.redhat.com/show_bug.cgi?id=458676
--- support/misc/tcpwrapper.c 2008-03-15 02:46:29.000000000 +1100
+++ support/misc/tcpwrapper.c 2008-10-19 13:58:12.000000000 +1100
@@ -125,12 +125,12 @@ struct sockaddr_in *addr;
return 0;
/* Check the official name first. */
- if (hosts_ctl(daemon, "", hp->h_name, ""))
+ if (hosts_ctl(daemon, hp->h_name, "", ""))
return 1;
/* Check aliases. */
for (sp = hp->h_aliases; *sp ; sp++) {
- if (hosts_ctl(daemon, "", *sp, ""))
+ if (hosts_ctl(daemon, *sp, "", ""))
return 1;
}
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: nfs-utils
Source-Version: 1:1.1.2-6lenny1
We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive:
nfs-common_1.1.2-6lenny1_amd64.deb
to pool/main/n/nfs-utils/nfs-common_1.1.2-6lenny1_amd64.deb
nfs-kernel-server_1.1.2-6lenny1_amd64.deb
to pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-6lenny1_amd64.deb
nfs-utils_1.1.2-6lenny1.diff.gz
to pool/main/n/nfs-utils/nfs-utils_1.1.2-6lenny1.diff.gz
nfs-utils_1.1.2-6lenny1.dsc
to pool/main/n/nfs-utils/nfs-utils_1.1.2-6lenny1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <[EMAIL PROTECTED]> (supplier of updated nfs-utils
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 19 Oct 2008 13:37:33 +1100
Source: nfs-utils
Binary: nfs-kernel-server nfs-common
Architecture: source amd64
Version: 1:1.1.2-6lenny1
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Changed-By: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Description:
nfs-common - NFS support files common to client and server
nfs-kernel-server - support for NFS kernel server
Closes: 502680
Changes:
nfs-utils (1:1.1.2-6lenny1) testing-proposed-updates; urgency=high
.
* Fix CVE-2008-4552
nfs-utils 1.1.2, and possibly other versions before 1.1.3, invokes the
host_ctl function with the wrong order of arguments, which causes TCP
Wrappers to ignore netgroups and allows remote attackers to bypass
intended access restrictions.
Closes: #502680
Checksums-Sha1:
4b07baf7f03c12af8495250633aa97ef0e7d265d 1332 nfs-utils_1.1.2-6lenny1.dsc
ab4f25acd858c7b3d35a9c7d63825aa0130e1f68 34519 nfs-utils_1.1.2-6lenny1.diff.gz
3ef772056babdacc07f08ecc7876da6d9b1c5bf5 161630
nfs-kernel-server_1.1.2-6lenny1_amd64.deb
2ab5ebe2964864fbec172aceb4c3238fd1aac18a 203758
nfs-common_1.1.2-6lenny1_amd64.deb
Checksums-Sha256:
d2f9436b855e575c9681b29a5586594df7b07220a2b1836a3aacdfba56ceefb8 1332
nfs-utils_1.1.2-6lenny1.dsc
3074523d4105b551fb0dea051f9cf8344097d6987c28b7590276bb414a20a09d 34519
nfs-utils_1.1.2-6lenny1.diff.gz
fed9f2f9ffc310ddcfb5e565f85031643a5c9c4cac0cd05aeb2170add61da519 161630
nfs-kernel-server_1.1.2-6lenny1_amd64.deb
afc397d7e2dc6922de9ddf0008f19fc3e93e65db44f530b1d80531936fa422d9 203758
nfs-common_1.1.2-6lenny1_amd64.deb
Files:
5e58cd1a3f30f69cce122c67d3227719 1332 net standard nfs-utils_1.1.2-6lenny1.dsc
624892a894706fd0c989b479d4d52529 34519 net standard
nfs-utils_1.1.2-6lenny1.diff.gz
6230b83d7fc1d63fe0e5572606fd9155 161630 net optional
nfs-kernel-server_1.1.2-6lenny1_amd64.deb
a5a3b83933f97c3e70f0a129a09db641 203758 net standard
nfs-common_1.1.2-6lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj8TuYACgkQgY5NIXPNpFWOjACdHDvflWmEmk34z+lEjCbRT+yJ
6kIAnjOIfib6zlnBWaZR5n4aSoHUwguE
=drLo
-----END PGP SIGNATURE-----
--- End Message ---
