Your message dated Mon, 15 May 2017 09:04:26 +0000
with message-id <e1dabvw-0006gd...@fasolo.debian.org>
and subject line Bug#861836: fixed in ntirpc 1.4.4-1
has caused the Debian Bug report #861836,
regarding ntirpc: CVE-2017-8779
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
861836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861836
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libtirpc
Version: 0.2.5-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
Control: clone -1 -2
Control: reassign -2 src:rpcbind
Control: found -2 0.2.1-6
Hi,
the following vulnerability was published for libtirpc.
CVE-2017-8779[0]:
| rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through
| 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC
| data size during memory allocation for XDR strings, which allows remote
| attackers to cause a denial of service (memory consumption with no
| subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
Note: that the rpcbind version needs to be build with a fixed version
of libtirpc, as it needs some new code in libtircp.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8779
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
[1] http://www.openwall.com/lists/oss-security/2017/05/03/12
[2] https://github.com/guidovranken/rpcbomb/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ntirpc
Source-Version: 1.4.4-1
We believe that the bug you reported is fixed in the latest version of
ntirpc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Martin <mar...@uni-mainz.de> (supplier of updated ntirpc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 May 2017 09:53:09 +0200
Source: ntirpc
Binary: libntirpc1.4 libntirpc-dev
Architecture: source amd64
Version: 1.4.4-1
Distribution: unstable
Urgency: high
Maintainer: Dmitry Smirnov <only...@debian.org>
Changed-By: Christoph Martin <mar...@uni-mainz.de>
Description:
libntirpc-dev - new transport-independent RPC library - development files
libntirpc1.4 - new transport-independent RPC library
Closes: 861836
Changes:
ntirpc (1.4.4-1) unstable; urgency=high
.
[ Christoph Martin ]
* Imported Upstream version 1.4.4
* fixes rpcbomb CVE-2017-8779 (closes: #861836)
Checksums-Sha1:
b4dc95e9bc5892bbb2e61c56facc085bfd2e8a6e 1979 ntirpc_1.4.4-1.dsc
836dcc95e4cb5b44575dabd2a25b6882864f2d56 446179 ntirpc_1.4.4.orig.tar.gz
da9dff73172cd894a1ffbc0f7faf8d81edff00c7 7728 ntirpc_1.4.4-1.debian.tar.xz
21fec6ca77a9a18e8b762b08889e70302d802ad0 79804 libntirpc-dev_1.4.4-1_amd64.deb
b919182eebfc310530434762d38d46a0de36df72 485632
libntirpc1.4-dbgsym_1.4.4-1_amd64.deb
f2f9fbd5d07e3e8f9b44ea697405ce827a3ee654 116410 libntirpc1.4_1.4.4-1_amd64.deb
0ff7b3bf1a141bd587b2fc990614a3bf7295c589 6906 ntirpc_1.4.4-1_amd64.buildinfo
Checksums-Sha256:
de7d3070fc29a4beaf0dcad61a953b8c8b6eee1da83a80e5d4aa7da19684b0a1 1979
ntirpc_1.4.4-1.dsc
ec0adbb9da44bd3eb15a4f316b4fbc12db4a96b253e64102beb66ca78bcd9c3d 446179
ntirpc_1.4.4.orig.tar.gz
77c78921e1ab9d64c68f72e17a4dbb28299aa78f1fd9d0e40f09df1b8a46a2d6 7728
ntirpc_1.4.4-1.debian.tar.xz
8395dd371c814566b5b752f06a4743b34144c5c65aeecc53c7939a2dfebfef2f 79804
libntirpc-dev_1.4.4-1_amd64.deb
e10b94bdfacc3c6fb3a42949e1753c8237dd70d67fcdb8280424628a6367968d 485632
libntirpc1.4-dbgsym_1.4.4-1_amd64.deb
2d137a4f833e1ac398fad73aac1cf003092a355b66118fff13366338dabd1cd8 116410
libntirpc1.4_1.4.4-1_amd64.deb
4fd7fdef693c5fcba2623976f930db0496ad98a99b9c5336d4aa82239d94cb3f 6906
ntirpc_1.4.4-1_amd64.buildinfo
Files:
026874f98eb2171dc87d5c2f3dfbf9dc 1979 net optional ntirpc_1.4.4-1.dsc
60a472552010483fa114958a1c05d23a 446179 net optional ntirpc_1.4.4.orig.tar.gz
59ee62e1a4256a76c3e2c9ee9c43a710 7728 net optional ntirpc_1.4.4-1.debian.tar.xz
9035161ad229ed8c1bcc9eae868eb056 79804 libdevel optional
libntirpc-dev_1.4.4-1_amd64.deb
5250a2fcdffcef307f6bd480594025c4 485632 debug extra
libntirpc1.4-dbgsym_1.4.4-1_amd64.deb
ee94aee2ff226288e6ff655711e76d8b 116410 libs optional
libntirpc1.4_1.4.4-1_amd64.deb
c410a75359f4215e7932688276a229ee 6906 net optional
ntirpc_1.4.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZGWvfAAoJEPqBswqWsQmcpjEP/juBk7awQEfh6NZXCQkCMIVf
uyKhhh1iKYX9OqVbP9/D86otNurLXPMZ87PwAB/QzRfYzGRVhdTx+8VOab6DOTMU
f7oHh4ICjVmkXEby6vhvT3pKYK65yHzvXymiXFKyTFLCf018aeRSjjWrKaH2+U3s
FK0LyuQrMLmTIuk82+UubE3TG9HFHlGJMf00YGpKqDySbItnByP/L6t/wTRgP9X7
HDUBpakXF5iblNkqEJxC4xerwr/VYMwfLFoQYR5V2PoYQcKQ0u1Cd9G4Ev06cumK
9W7PSQ88V+26GjnU0bhzSpkcOvYW6D3YYcKoAekVFp2ElJkoTa+RD0T6xYuFBRN4
BqI8ufxGMNO7RRohiVngAAVsjDW5ZYRWoJ5tFhBz5AHAVgKPhzTAfGKfsUK5GRuY
X2IPMFRXOKcHBKPl6UUaDYthWnGa5tP//+7d5F1kyM2fpEsZqo/VSVENi4kMYq6B
sSw6OWhsDaPr1bHIZ0J8E933EDVvcl52XyYVi9pUWOqwyZSKcoMSQ8ZVyj2icKLh
jxURfTdmEr3wfhufLpCTtpIDzW7xP5aAolbz0LsAbQGGQQvGMi/84qFCxzm04ECr
7Q2P5Pf79OYEJ4V/KxEIIxn/Jk2Ih7z9ubeE6vUOkw8OQgse2YJeGfILO7qU0gnz
mETHY6VX0tUD1luSXD34
=WJji
-----END PGP SIGNATURE-----
--- End Message ---
