From marcdeslauriers@videotron.ca Sun Dec 18 11:17:35 2005 From: Marc Deslauriers To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Date: Sun, 18 Dec 2005 00:12:59 -0500 Subject: [Full-disclosure] [FLSA-2005:152787] Updated redhat-config-nfs package fixes security issue --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated redhat-config-nfs package fixes security issue Advisory ID: FLSA:152787 Issue date: 2005-12-17 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0750 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated redhat-config-nfs package that fixes a security issue is now available. redhat-config-nfs is a graphical user interface for creating, modifying, and deleting nfs shares. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: John Buswell discovered a flaw in redhat-config-nfs that could lead to incorrect permissions on exported shares when exporting to multiple hosts. This could cause an option such as "all_squash" to not be applied to all of the listed hosts. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0750 to this issue. Additionally, a bug was found that prevented redhat-config-nfs from being run if hosts didn't have options set in /etc/exports. All users of redhat-config-nfs should upgrade to this updated package, which includes a patch to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152787 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/redhat-config-nfs-1.0.13-6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/redhat-config-nfs-1.0.13-6.legacy.noarch.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/redhat-config-nfs-1.1.3-3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/redhat-config-nfs-1.1.3-3.legacy.noarch.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/system-config-nfs-1.2.3-5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/system-config-nfs-1.2.3-5.legacy.noarch.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 6d0c5c269b0702a5f7ef352e1c01390dfcedf66e redhat/9/updates/i386/redhat-config-nfs-1.0.13-6.legacy.noarch.rpm 7dfd3e3cd3e937144b0a79b38967749caea1f779 redhat/9/updates/SRPMS/redhat-config-nfs-1.0.13-6.legacy.src.rpm 376cd7a13d85877976d606a2a8dc57e5a9de1766 fedora/1/updates/i386/redhat-config-nfs-1.1.3-3.legacy.noarch.rpm b1828331941b0d64625dc5981990b63fb8f5ee26 fedora/1/updates/SRPMS/redhat-config-nfs-1.1.3-3.legacy.src.rpm e9694cfe870c4370ab080ef81fe2ee5d09f23a34 fedora/2/updates/i386/system-config-nfs-1.2.3-5.legacy.noarch.rpm 6e4cee9467fa66760b8e757000e771f167225377 fedora/2/updates/SRPMS/system-config-nfs-1.2.3-5.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0750 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- [ Part 1.2, "OpenPGP digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/