OpenSuSE has issued an advisory today (June 14): http://lists.opensuse.org/opensuse-updates/2013-06/msg00146.html According to RedHat, this was fixed upstream in 1.2.8 (so Cauldron's OK). The RedHat bug has a link to the upstream commit to fix this: https://bugzilla.redhat.com/show_bug.cgi?id=948072 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
fixed packages has been submitted.
CC: (none) => oe
Thanks Oden! Advisory: ======================== Updated nfs-utils packages fix security vulnerability: It was reported that rpc.gssd in nfs-utils is vulnerable to DNS spoofing due to it depending on PTR resolution for GSSAPI authentication. Because of this, if a user where able to poison DNS to a victim's computer, they would be able to trick rpc.gssd into talking to another server (perhaps with less security) than the intended server (with stricter security). If the victim has write access to the second (less secure) server, and the attacker has read access (when they normally might not on the secure server), the victim could write files to that server, which the attacker could obtain (when normally they would not be able to). To the victim this is transparent because the victim's computer asks the KDC for a ticket to the second server due to reverse DNS resolution; in this case Krb5 authentication does not fail because the victim is talking to the "correct" server (CVE-2013-1923). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1923 http://lists.opensuse.org/opensuse-updates/2013-06/msg00146.html ======================== Updated packages in core/updates_testing: ======================== nfs-utils-1.2.5-1.1.mga2 nfs-utils-clients-1.2.5-1.1.mga2 nfs-utils-1.2.7-3.1.mga3 from SRPMS: nfs-utils-1.2.5-1.1.mga2.src.rpm nfs-utils-1.2.7-3.1.mga3.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
Oden, the following note came from Thierry Vignaud on the dev ml: BTW, speaking security, this upstream tarball contains pre-compiled .o objects... Idem for cauldron's 1.2.8 This upstream sucks...
No poc, so just testing that it works, using mcc to create and access shares. Testing complete on Mageia 2 and 3, i586, and x86_64. For each one, setup a share, and mounted the shares from the other three. Could someone from the sysadmin team push the srpm nfs-utils-1.2.7-3.1.mga3.src.rpm from Mageia 3 Core Updates Testing to Core Updates and the srpm nfs-utils-1.2.5-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated nfs-utils packages fix security vulnerability: It was reported that rpc.gssd in nfs-utils is vulnerable to DNS spoofing due to it depending on PTR resolution for GSSAPI authentication. Because of this, if a user where able to poison DNS to a victim's computer, they would be able to trick rpc.gssd into talking to another server (perhaps with less security) than the intended server (with stricter security). If the victim has write access to the second (less secure) server, and the attacker has read access (when they normally might not on the secure server), the victim could write files to that server, which the attacker could obtain (when normally they would not be able to). To the victim this is transparent because the victim's computer asks the KDC for a ticket to the second server due to reverse DNS resolution; in this case Krb5 authentication does not fail because the victim is talking to the "correct" server (CVE-2013-1923). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1923 http://lists.opensuse.org/opensuse-updates/2013-06/msg00146.html https://bugs.mageia.org/show_bug.cgi?id=10528
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
Yes I saw this too, but just tested to build 1.2.8 on mga3 and all objects and binaries are recompiled and overwritten. However it could be nice with some checks for these things in the bs. In this case the maintainer or the person bumping 1.2.7 -> 1.2.8 should had noticed that the tar ball was much larger.
Advisory ready to push.
http://advisories.mageia.org/MGASA-2013-0178.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)