From security@linux-mandrake.com Mon Dec 6 23:34:24 2004 From: Mandrake Linux Security Team To: full-disclosure@lists.netsys.com Date: 7 Dec 2004 02:41:49 -0000 Subject: [Full-Disclosure] MDKSA-2004:146 - Updated nfs-utils packages fix remote DoS vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: nfs-utils Advisory ID: MDKSA-2004:146 Date: December 6th, 2004 Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1 ______________________________________________________________________ Problem Description: SGI developers discovered a remote DoS (Denial of Service) condition in the NFS statd server. rpc.statd did not ignore the "SIGPIPE" signal which would cause it to shutdown if a misconfigured or malicious peer terminated the TCP connection prematurely. The updated packages have been patched to prevent this problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1014 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: a259e129d3ed021a2805a304a8943f87 10.0/RPMS/nfs-utils-1.0.6-2.1.100mdk.i586.rpm d19cfca24476502abbb67e4a86c91663 10.0/RPMS/nfs-utils-clients-1.0.6-2.1.100mdk.i586.rpm e2cafad49d70aeffbd41d669ab3a2bca 10.0/SRPMS/nfs-utils-1.0.6-2.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: a389bd51f97e68d671a3aa2d5b7e54ab amd64/10.0/RPMS/nfs-utils-1.0.6-2.1.100mdk.amd64.rpm 2c7951e802b3cc5e3cfd30b021d83bb5 amd64/10.0/RPMS/nfs-utils-clients-1.0.6-2.1.100mdk.amd64.rpm e2cafad49d70aeffbd41d669ab3a2bca amd64/10.0/SRPMS/nfs-utils-1.0.6-2.1.100mdk.src.rpm Mandrakelinux 10.1: b7980dce74b5ce61b118d57e60616831 10.1/RPMS/nfs-utils-1.0.6-2.1.101mdk.i586.rpm e490ac66030bc91263dfe3dbf4ccca0f 10.1/RPMS/nfs-utils-clients-1.0.6-2.1.101mdk.i586.rpm 934c7430d12c476008e93cae02f9ce4d 10.1/SRPMS/nfs-utils-1.0.6-2.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: 6e3b8a3c10738590e471d27c781a7785 x86_64/10.1/RPMS/nfs-utils-1.0.6-2.1.101mdk.x86_64.rpm 37ace3bf78739e7941c8196b383304bc x86_64/10.1/RPMS/nfs-utils-clients-1.0.6-2.1.101mdk.x86_64.rpm 934c7430d12c476008e93cae02f9ce4d x86_64/10.1/SRPMS/nfs-utils-1.0.6-2.1.101mdk.src.rpm Corporate Server 2.1: 1584a91cd3ea0b88add9d7fde7da0471 corporate/2.1/RPMS/nfs-utils-1.0.1-1.2.C21mdk.i586.rpm b86f316c35825b61c00052aa0931af30 corporate/2.1/RPMS/nfs-utils-clients-1.0.1-1.2.C21mdk.i586.rpm 9271fbc82c44e12ddfce90443fa1f65a corporate/2.1/SRPMS/nfs-utils-1.0.1-1.2.C21mdk.src.rpm Corporate Server 2.1/x86_64: af6f63ad89b182f2a56534f65c3d907b x86_64/corporate/2.1/RPMS/nfs-utils-1.0.1-1.2.C21mdk.x86_64.rpm d352b9aaeaa4db9cb095495ba294fec8 x86_64/corporate/2.1/RPMS/nfs-utils-clients-1.0.1-1.2.C21mdk.x86_64.rpm 9271fbc82c44e12ddfce90443fa1f65a x86_64/corporate/2.1/SRPMS/nfs-utils-1.0.1-1.2.C21mdk.src.rpm Mandrakelinux 9.2: 268d66320642db7c67133f4968724a73 9.2/RPMS/nfs-utils-1.0.5-1.1.92mdk.i586.rpm fd4ab7975b142d3024609bd8b664575b 9.2/RPMS/nfs-utils-clients-1.0.5-1.1.92mdk.i586.rpm 38c15e9595b81cd83b97aa82d5b90ce9 9.2/SRPMS/nfs-utils-1.0.5-1.1.92mdk.src.rpm Mandrakelinux 9.2/AMD64: 2102cfbd5e39cc09e26c856076801285 amd64/9.2/RPMS/nfs-utils-1.0.5-1.1.92mdk.amd64.rpm 67eba995d0f0d14c14ccf4c9fc1d17cb amd64/9.2/RPMS/nfs-utils-clients-1.0.5-1.1.92mdk.amd64.rpm 38c15e9595b81cd83b97aa82d5b90ce9 amd64/9.2/SRPMS/nfs-utils-1.0.5-1.1.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBtRhtmqjQ0CJFipgRAlwMAKCW6O0+N5u2sLItl8pNqwueqTVtEACfVIvp TlpCVAdH4OSQ2WTFd1wRLeM= =xkY2 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html