Bug 5270

Summary: nfs-utils missing security update for CVE-2011-2500
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: anssi.hannula, davidwhodgins, guillomovitch, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: nfs-utils-1.2.3-2.1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-04-07 18:11:19 CEST 
RedHat has issued this advisory on December 6:
https://rhn.redhat.com/errata/RHSA-2011-1534.html

We already fixed CVE-2011-1749, but the other one, a flaw in IP address authentication, was missed.  Cauldron is not vulnerable.
David Walser 2012-04-07 19:23:41 CEST

CC: (none) => anssi.hannula

David Walser 2012-04-09 03:18:40 CEST

CC: (none) => guillomovitch

Comment 1 Guillaume Rousse 2012-04-09 14:12:31 CEST 
I just submitted a patched version to core/updates_testing.
Comment 2 David Walser 2012-04-09 16:32:05 CEST 
Advisory:
========================

Updated nfs-utils packages fix security vulnerability:

A flaw was found in the way nfs-utils performed IP based authentication of
mount requests. In configurations where a directory was exported to a group
of systems using a DNS wildcard or NIS (Network Information Service)
netgroup, an attacker could possibly gain access to other directories
exported to a specific host or subnet, bypassing intended access
restrictions. (CVE-2011-2500)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2500
https://rhn.redhat.com/errata/RHSA-2011-1534.html
========================

Updated packages in core/updates_testing:
========================
nfs-utils-1.2.3-2.3.mga1
nfs-utils-clients-1.2.3-2.3.mga1

from nfs-utils-1.2.3-2.3.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Dave Hodgins 2012-04-09 22:32:35 CEST 
Testing complete on i586 for the srpm
nfs-utils-1.2.3-2.3.mga1.src.rpm

Just testing I can access shares from a VirtualBox guest.  Both
host and guest are running Mageia 1 with the updated nfs packages.

CC: (none) => davidwhodgins

Comment 4 Manuel Hiebel 2012-04-11 22:52:20 CEST 
Testing ok on x86_64 (take some time to remember how it works)


Suggested Advisory:
-------------
Updated nfs-utils packages fix security vulnerability:

A flaw was found in the way nfs-utils performed IP based authentication of
mount requests. In configurations where a directory was exported to a group
of systems using a DNS wildcard or NIS (Network Information Service)
netgroup, an attacker could possibly gain access to other directories
exported to a specific host or subnet, bypassing intended access
restrictions. (CVE-2011-2500)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2500
https://rhn.redhat.com/errata/RHSA-2011-1534.html

https://bugs.mageia.org/show_bug.cgi?id=5270
-------------

SRPM: nfs-utils-1.2.3-2.3.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2012-04-11 23:12:59 CEST 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED