Package: nfs-kernel-server Version: 1:1.0.6-3.1 Severity: grave Tags: security Justification: user security hole
-- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.30 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages nfs-kernel-server depends on: ii debconf 1.4.30.13 Debian configuration management sy ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii nfs-common 1:1.0.6-3.1 NFS support files common to client ii sysvinit 2.86.ds1-1 System-V like init -- no debconf information Just upgraded from woody to sarge, now rpc.mountd and rpc.statd seem to ignore the restrictions in /etc/hosts.allow and listen blithely on all addresses and interfaces. This is a security breech. I did an strace on rpc.mountd, it never opens /etc/hosts.allow or /etc/hosts.deny before doing a listen on 0.0.0.0 This is a regression from woody, as this used to work fine on woody, and my mountd and statd were not open to the world. nfsd is, however, working correctly, it seems. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
