Bugtraq mailing list archives
Re: [RHSA-2000:043-02] Updated package for nfs-utils available
From: costan () COMM2000 IT (Andrea Costantino)
Date: Tue, 18 Jul 2000 13:58:02 +0200
---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: Updated package for nfs-utils available
Advisory ID: RHSA-2000:043-02
Issue date: 2000-07-17
Updated on: 2000-07-17
Product: Red Hat Linux
Keywords: rpc.statd root compromise
Cross references: N/A
---------------------------------------------------------------------
1. Topic:
The rpc.statd daemon in the nfs-utils package shipped in Red Hat
Linux 6.0, 6.1, and 6.2 contains a flaw that could lead to a
remote root break-in.
2. Relevant releases/architectures:
Red Hat Linux 6.0 - i386, alpha, sparc
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Red Hat Linux 6.1 - i386, alpha, sparc
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Ok, what's doing RH??? The packages are available only for Zoot edition (6.2). They should work even with 6.[01], but it seems that the kernel shipped with 6.2 is needed (2.2.14). RedHat people believe that a RH user should get the latest (maybe unchecked!) kernel in RPM version as soon it's available?? I tried to build my own RPM using the src.rpm, and it compiled fine. When i issued the -Uvh command i discovered that it depended on the same kernel! I guess that if it compiled the kernel-headers were right, so.. what the hell happened?? I have no chance to upgrade my kernel, since it's deeeeeeeeply patched to run ipsec, and some modularized stuff is now built-in. So i have to catch the latest kernel, headers, boot, blahblahblah, the kernel sources, the ipsec patches.. then should install them, patch the new kernel, reconfigure, recompile, reinstall and, at least, reissue the blessed rpm -Uvh nfs-blahblah, hoping that the new name doesn't conflict with the old one! It's possible, ok, but it took me many many hours... and i'm very very busy... Ah, the best thing is that i have to patch more than 20 running machines... So RH people, why??? The RPM world should correct the tar.gz flaws with advanced packages management, but in this case it's REALLY a drawback! The Cartman version appears as "Supported" on RH site.. maybe I missed something, but the support seems to work if and only if the user patches everything.. maybe... Baciamo le mani, k0
Current thread:
- Chasing bugs / vulnerabilties, (continued)
- Chasing bugs / vulnerabilties Michael S Hines (Jul 24)
- Re: Chasing bugs / vulnerabilties Kurt Seifried (Jul 25)
- Re: StackGuard with ... Re: [Paper] Format bugs. Pascal Bouchareine (Jul 21)
- Re: StackGuard with ... Re: [Paper] Format Ronald Huizer [Crew] (Jul 24)
- More bad censorware John Pettitt (Jul 21)
- Re: StackGuard with ... Re: [Paper] Format bugs. Gerardo Richarte (Jul 24)
- S21SEC-003: Vulnerabilities in CommuniGate Pro v3.2.4 Lluis Mora (Jul 17)
- [COVERT-2000-07] LISTSERV Web Archive Remote Overflow COVERT Labs (Jul 17)
- [RHSA-2000:043-02] Updated package for nfs-utils available bugzilla () REDHAT COM (Jul 17)
- Trustix Security Advisory - nfs-utils Oystein Viggen (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Andrea Costantino (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Matt Wilson (Jul 18)
- Update on TooRcon Computer Security Expo Ben (Jul 18)
- "Best Practices for Secure Web Development" whitepaper Razvan Peteanu (Jul 18)
- [Security Announce] MDKSA-2000:021 nfs-utils update Linux Mandrake Security Team (Jul 18)
- Microsoft Security Bulletin (MS00-043) Microsoft Product Security (Jul 19)
- Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability Ussr Labs (Jul 19)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Joe Laffey (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Kurt Seifried (Jul 18)
- @stake Security Advisory: NetZero Password Algorithm Brian Carrier (Jul 18)
- Re: @stake Security Advisory: NetZero Password Algorithm Dan Kaminsky (Jul 18)