|
Message-ID: <53BC4CB5.5020406@redhat.com> Date: Tue, 08 Jul 2014 13:55:33 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Summer bug cleaning - rpcbind -h option -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And an RPC one (and possibly other NFS utils): https://bugzilla.redhat.com/show_bug.cgi?id=852282 CVE-2012-3541 rpcbind: -h fails to control access to rpcbind I'm guessing nobody noticed or cares much because people use firewalls to control access to ports, not internal -h or whatever flags. The reason rpcbind qualifies for a CVE is it exposes rpcbind on interfaces against the direct configuration it was given (e.g. if you tell it to listen to localhost only it would expose itself to the world). - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTvEy1AAoJEBYNRVNeJnmTQawP/iwQtCl3INhkkENSif1rrfz0 5A8n7zJhYF5qf9IbAevd7aJwFEBL6j5zvLXg/QALZeMGGE+0gqyUjvIpsR+tmgsZ kUm+6dia4zVNZVFli2RfTrcYf+dtC+TP+IkNCkfATk8hwgkzBr97JQ0q1S6ygmfZ urCIHHYAtTHl3C+05/LUKGjmBTDHeTMbxJLf3j4JgSxqee/OyA4b3WVH3jbv5jue o4i8U85OnuICmrR11/HCbG3Kii7DN1hYP1eobDdGjKeCzwiJyByeQoGQ3dwjqjT8 /XdOzuDXb5xLAzSisAbsPkIfRdQz4+LQCZd8g3xs4KsIfWMRXB7UsBOn2FuIoAKx l784ypilTFyiWMirbzNKYQE14vZkCBwqLRH3y6Ac0Tv4/DFvsdfSEYjI7OoaLcaK DRco4laV1xOwEcK5B/3jSRq0dbl38raFfRVnufoCBWAVhiYF18yEXYArP2jSZTLh okemjN5+LgHkjCa+ArSlXt4c+XQnF1yS7PFYdXzTCpS+XtRbIqlL+ynpQwClAEDd sHI7sgozcR7Z/AkfFLm0p2+OuebFMxfddGlsxcuy85REd1S3hFGmR1tyfnhfye+b rMYEeJQWDJqycbUCv2GKUtSZUDau3NgLkdAUFoxbktcHrTh9rSUoxkhsiUsjnrHf ysMM1GM1CkZLH6HVKSGp =He5z -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.