Your message dated Fri, 05 May 2017 18:03:55 +0000
with message-id <[email protected]>
and subject line Bug#861835: fixed in rpcbind 0.2.3-0.6
has caused the Debian Bug report #861835,
regarding rpcbind: CVE-2017-8779
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
861835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861835
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libtirpc
Version: 0.2.5-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
Control: clone -1 -2
Control: reassign -2 src:rpcbind
Control: found -2 0.2.1-6
Hi,
the following vulnerability was published for libtirpc.
CVE-2017-8779[0]:
| rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through
| 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC
| data size during memory allocation for XDR strings, which allows remote
| attackers to cause a denial of service (memory consumption with no
| subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
Note: that the rpcbind version needs to be build with a fixed version
of libtirpc, as it needs some new code in libtircp.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8779
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
[1] http://www.openwall.com/lists/oss-security/2017/05/03/12
[2] https://github.com/guidovranken/rpcbomb/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rpcbind
Source-Version: 0.2.3-0.6
We believe that the bug you reported is fixed in the latest version of
rpcbind, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated rpcbind package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 May 2017 19:46:00 +0200
Source: rpcbind
Binary: rpcbind
Architecture: source
Version: 0.2.3-0.6
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 861835
Description:
rpcbind - converts RPC program numbers into universal addresses
Changes:
rpcbind (0.2.3-0.6) unstable; urgency=high
.
* Non-maintainer upload.
* CVE-2017-8779: Memory leak when failing to parse XDR strings or bytearrays
(Closes: #861835)
* Bump runtime dependency on libtirpc1.
Bump Depends on libtirpc1 (>= 0.2.5-1.2~) to pull the fixes on libtirpc1
for CVE-2017-8779.
Checksums-Sha1:
477eef2063712bc6f981456558c2da7bdd2bd7b1 2022 rpcbind_0.2.3-0.6.dsc
e081c78ad3d2d31e88d0b05f6b2ef954e1f48344 11952 rpcbind_0.2.3-0.6.debian.tar.xz
Checksums-Sha256:
44f3de063b6e4a5669369db91031fb5abedf9734e4922635f7eca58b69c0f03d 2022
rpcbind_0.2.3-0.6.dsc
833ebacb92585e21421914facf756011954082cdb514bef034a7f7e54cc7afaa 11952
rpcbind_0.2.3-0.6.debian.tar.xz
Files:
bb248c242f5fd2159f9542e12118f5cb 2022 net standard rpcbind_0.2.3-0.6.dsc
982096d8319c98665c55a6be24188c87 11952 net standard
rpcbind_0.2.3-0.6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkMuwhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EveAP/2KEYjx96z+i9DJRmhFyGWKkmitdCd8c
Al5qKCMBxQnTpNaIxPXiNXDWIiZkwVuUgddTSdP/OSibi0WpiyB4wSodJy+dptPB
dLDt87s7WeWET6BsNdj9B4cAniNmZtUNyhZWWTB9aT+Zig+bVaonKlK7OtL/+Tz7
EieYhF+CBjWF7ILf1jYK9n5Ju0HntpJ0jbhbsfir8AwjSl3O//reF/J+8UQ/qBBl
5NvOPVsv+aIzJVA5Ah9OEKBCtdm9XDTDfq2+xQ0RW/cZ/SgfWfGXPKwCfd9zMyMb
QWd6tF3nUlScaco1hnzE+y+AbJgCQZzBGixuo1jKvq7rYGyePjPja+2Afqh7FUiO
B1MEN44kYBH1LMXY/n/Bp0urbdetfo051LYKX8Gt0nxfo/ljhtHSPpjd3dYrx4yb
1ydFC6bORrlP6dSJWNCTKiBnBNzmW3aj+vfhog0SfYjSiieLxGV0h4ZUVBb6moQr
h3zB4piJzWhMaxoY1b+hU2/ViYjX0HWFD9zrGkJrlBh4xwSU7AcrIxqWol2nwOhk
OiichMS/EgEg30BseDt8zPBUQt5NPP0xNIs1HGtnmsMJK0Hnou45uy0xutgCI5dt
eEt6kSGsyF2VJ18iXb0vqbC01vMjHBbxBCHptS2QTuqqM2s0DjblPdWepfRovPyv
FqHq+v2eKZqK
=MsyN
-----END PGP SIGNATURE-----
--- End Message ---
