Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 May 2017 17:55:20 -0700
From: Seth Arnold <>
Subject: Re: rpcbomb: remote rpcbind denial-of-service

On Wed, May 03, 2017 at 08:55:23PM +0200, Guido Vranken wrote:
> This vulnerability allows an attacker to allocate any amount of bytes
> (up to 4 gigabytes per attack) on a remote rpcbind host, and the
> memory is never freed unless the process crashes or the administrator
> halts or restarts the rpcbind service.
> [...]
> An extensive write-up can be found here:
> Exploit + patches:

Hello Guido, nice find. Have CVE numbers been requested for this issue
yet? Have you investigated if ntirpc is affected too? Much of the code
looks similar:


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ