Package: nfs-kernel-server Version: 1:1.2.3-3 Severity: grave Tags: patch >From <https://bugzilla.redhat.com/show_bug.cgi?id=716949>: > A security flaw was found in the way nfs-utils performed authentication > of an incoming request, when an IP based authentication mechanism was used > and certain file systems were exported to either to a netgroup or a wildcard > (e.g. *.my.domain), and some file systems (either the same or different to > the first set) were exported to specific hosts, IP addresses, or a subnet. > A remote attacker, able to create global DNS entries could use this flaw > to access above listed, exported file systems. > > References: > [1] https://bugzilla.novell.com/show_bug.cgi?id=701702 > [2] http://www.openwall.com/lists/oss-security/2011/06/27/7 > (CVE Request) > > Relevant upstream patch: > [3] http://marc.info/?l=linux-nfs&m=130875695821953&w=2
This bug appears to have been introduced in upstream version 1.2.3-rc4 and therefore should not affect squeeze or lenny. Ben. -- System Information: Debian Release: wheezy/sid APT prefers proposed-updates APT policy: (500, 'proposed-updates'), (500, 'oldstable-proposed-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
