LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Red Hat alert RHSA-2005:014-01 (nfs-utils)



From:
    	      bugzilla@redhat.com


To:
    	      enterprise-watch-list@redhat.com


Subject:
    	      [RHSA-2005:014-01] Updated nfs-utils package fixes security
 vulnerabilities


Date:
    	      Wed, 12 Jan 2005 13:54 -0500


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated nfs-utils package fixes security vulnerabilities
Advisory ID:       RHSA-2005:014-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2005-014.html
Issue date:        2005-01-12
Updated on:        2005-01-12
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-1014 CAN-2004-0946
- ---------------------------------------------------------------------

1. Summary:

An updated nfs-utils package that fixes various security issues is now
available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

The nfs-utils package provides a daemon for the kernel NFS server and
related tools.

SGI reported that the statd daemon did not properly handle the SIGPIPE
signal.  A misconfigured or malicious peer could cause statd to crash,
leading to a denial of service.  The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-1014 to this issue.

Arjan van de Ven discovered a buffer overflow in rquotad.  On 64-bit
architectures, an improper integer conversion can lead to a buffer
overflow.  An attacker with access to an NFS share could send a specially
crafted request which could lead to the execution of arbitrary code.  The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0946 to this issue.

All users of nfs-utils should upgrade to this updated package, which
resolves these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

144652 - CAN-2004-1014 DoS in statd
138063 - CAN-2004-0946 buffer overflow in rquotad

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/nfs...
9553612895ebfaa51e95f6ca30917ae3  nfs-utils-0.3.3-11.src.rpm

i386:
b5e37053bfa2a629ad89cf8aa55fdd81  nfs-utils-0.3.3-11.i386.rpm

ia64:
1acfa8622a1a9a98f676e8d5e8ada932  nfs-utils-0.3.3-11.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/nfs...
9553612895ebfaa51e95f6ca30917ae3  nfs-utils-0.3.3-11.src.rpm

ia64:
1acfa8622a1a9a98f676e8d5e8ada932  nfs-utils-0.3.3-11.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/nfs...
9553612895ebfaa51e95f6ca30917ae3  nfs-utils-0.3.3-11.src.rpm

i386:
b5e37053bfa2a629ad89cf8aa55fdd81  nfs-utils-0.3.3-11.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/nfs...
9553612895ebfaa51e95f6ca30917ae3  nfs-utils-0.3.3-11.src.rpm

i386:
b5e37053bfa2a629ad89cf8aa55fdd81  nfs-utils-0.3.3-11.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0946

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB5XJWXlSAg2UNWIIRAgdcAKCmUguAappvqdDI6w31HH4al0ZTbwCgrWQH
f+Qg0yF6e1LuIcSJcGJjQxo=
=5AwU
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds