Bug#633155: marked as done (Mixed IP/name-based access control can be bypassed (CVE-2011-2500))
Your message dated Sat, 09 Jul 2011 15:05:34 +0000
with message-id <E1QfZ66-0005QK-9N@franck.debian.org>
and subject line Bug#633155: fixed in nfs-utils 1:1.2.4-1
has caused the Debian Bug report #633155,
regarding Mixed IP/name-based access control can be bypassed (CVE-2011-2500)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
633155: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633155
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: nfs-kernel-server
Version: 1:1.2.3-3
Severity: grave
Tags: patch
>From <https://bugzilla.redhat.com/show_bug.cgi?id=716949>:
> A security flaw was found in the way nfs-utils performed authentication
> of an incoming request, when an IP based authentication mechanism was used
> and certain file systems were exported to either to a netgroup or a wildcard
> (e.g. *.my.domain), and some file systems (either the same or different to
> the first set) were exported to specific hosts, IP addresses, or a subnet.
> A remote attacker, able to create global DNS entries could use this flaw
> to access above listed, exported file systems.
>
> References:
> [1] https://bugzilla.novell.com/show_bug.cgi?id=701702
> [2] http://www.openwall.com/lists/oss-security/2011/06/27/7
> (CVE Request)
>
> Relevant upstream patch:
> [3] http://marc.info/?l=linux-nfs&m=130875695821953&w=2
This bug appears to have been introduced in upstream version 1.2.3-rc4
and therefore should not affect squeeze or lenny.
Ben.
-- System Information:
Debian Release: wheezy/sid
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'oldstable-proposed-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: nfs-utils
Source-Version: 1:1.2.4-1
We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive:
nfs-common_1.2.4-1_i386.deb
to main/n/nfs-utils/nfs-common_1.2.4-1_i386.deb
nfs-kernel-server_1.2.4-1_i386.deb
to main/n/nfs-utils/nfs-kernel-server_1.2.4-1_i386.deb
nfs-utils_1.2.4-1.debian.tar.bz2
to main/n/nfs-utils/nfs-utils_1.2.4-1.debian.tar.bz2
nfs-utils_1.2.4-1.dsc
to main/n/nfs-utils/nfs-utils_1.2.4-1.dsc
nfs-utils_1.2.4.orig.tar.bz2
to main/n/nfs-utils/nfs-utils_1.2.4.orig.tar.bz2
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 633155@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated nfs-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 09 Jul 2011 16:28:32 +0200
Source: nfs-utils
Binary: nfs-kernel-server nfs-common
Architecture: source i386
Version: 1:1.2.4-1
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description:
nfs-common - NFS support files common to client and server
nfs-kernel-server - support for NFS kernel server
Closes: 619877 626478 633155
Changes:
nfs-utils (1:1.2.4-1) unstable; urgency=low
.
* New upstream version
- Fix host_reliable_addrinfo (Closes: #633155)
- Allow multiple RPC listeners to share listener port number
(Closes: #619877)
- Add --enable-libmount-mount (Closes: #626478)
- 12-svcgssd-document-n-option.patch applied upstream
- Refresh 19-exports.man-Fix-comment-syntax.patch
- 21-anticipate-RLIMIT_FSIZE.patch applied upstream
- Add nfsidmap binary and manpage
- Use autoreconf to avoid build failure
Checksums-Sha1:
2a6db0e8b6faf8a05a54ee6b6841d028a0da196d 1468 nfs-utils_1.2.4-1.dsc
dcd6d2f55976df574005c40dded43078544e5664 664358 nfs-utils_1.2.4.orig.tar.bz2
18be6c2d62b893ef04aa3840da0edbd6ae1ccd9c 38658 nfs-utils_1.2.4-1.debian.tar.bz2
abf27f573ce62a4982e0905532f445e26f553a09 164210 nfs-kernel-server_1.2.4-1_i386.deb
0867a02b7b943f25c33d4ed75119a24731699067 258820 nfs-common_1.2.4-1_i386.deb
Checksums-Sha256:
28211b382436d7ee5fa5995f399cc2e1fd1c91198033d83e7062b2cf999d1c29 1468 nfs-utils_1.2.4-1.dsc
6ff1c702b1d61dc6e8c69cd977f79ab7d662dc870337ef89ca6d1b41bad026c0 664358 nfs-utils_1.2.4.orig.tar.bz2
75b91a7f2b49a68823e06dade81dc59a667ede5c99966169d810dd33c4539534 38658 nfs-utils_1.2.4-1.debian.tar.bz2
8effec7c7baa7f758911d9b2b87838720d2ef0622b387ae8e7a548d2736c7256 164210 nfs-kernel-server_1.2.4-1_i386.deb
2e15814b8d31b2548be7551575dbccb453ce0af68a40960a58484319afc3f43f 258820 nfs-common_1.2.4-1_i386.deb
Files:
9274b8f45c875cd1b9454005e7b63781 1468 net standard nfs-utils_1.2.4-1.dsc
938dc0574f3eb9891a8ed4746f806277 664358 net standard nfs-utils_1.2.4.orig.tar.bz2
c9d3ab8c74c632890620abd88a666269 38658 net standard nfs-utils_1.2.4-1.debian.tar.bz2
54d3db1a214b843053edd6f2aad15e2d 164210 net optional nfs-kernel-server_1.2.4-1_i386.deb
5f331bc98fb7b2f690c16dd3483854d5 258820 net standard nfs-common_1.2.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4YaEUACgkQ5UTeB5t8Mo0DtgCdGKfPR94faoyLbTq399qTeJFd
xhEAn12B3KO6OPZZmxc17mlDsMkgkjY6
=d6jB
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: