Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 08 Jul 2014 13:55:33 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Summer bug cleaning - rpcbind -h option

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And an RPC one (and possibly other NFS utils):

https://bugzilla.redhat.com/show_bug.cgi?id=852282
CVE-2012-3541 rpcbind: -h fails to control access to rpcbind

I'm guessing nobody noticed or cares much because people use firewalls
to control access to ports, not internal -h or whatever flags. The
reason rpcbind qualifies for a CVE is it exposes rpcbind on interfaces
against the direct configuration it was given (e.g. if you tell it to
listen to localhost only it would expose itself to the world).

- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTvEy1AAoJEBYNRVNeJnmTQawP/iwQtCl3INhkkENSif1rrfz0
5A8n7zJhYF5qf9IbAevd7aJwFEBL6j5zvLXg/QALZeMGGE+0gqyUjvIpsR+tmgsZ
kUm+6dia4zVNZVFli2RfTrcYf+dtC+TP+IkNCkfATk8hwgkzBr97JQ0q1S6ygmfZ
urCIHHYAtTHl3C+05/LUKGjmBTDHeTMbxJLf3j4JgSxqee/OyA4b3WVH3jbv5jue
o4i8U85OnuICmrR11/HCbG3Kii7DN1hYP1eobDdGjKeCzwiJyByeQoGQ3dwjqjT8
/XdOzuDXb5xLAzSisAbsPkIfRdQz4+LQCZd8g3xs4KsIfWMRXB7UsBOn2FuIoAKx
l784ypilTFyiWMirbzNKYQE14vZkCBwqLRH3y6Ac0Tv4/DFvsdfSEYjI7OoaLcaK
DRco4laV1xOwEcK5B/3jSRq0dbl38raFfRVnufoCBWAVhiYF18yEXYArP2jSZTLh
okemjN5+LgHkjCa+ArSlXt4c+XQnF1yS7PFYdXzTCpS+XtRbIqlL+ynpQwClAEDd
sHI7sgozcR7Z/AkfFLm0p2+OuebFMxfddGlsxcuy85REd1S3hFGmR1tyfnhfye+b
rMYEeJQWDJqycbUCv2GKUtSZUDau3NgLkdAUFoxbktcHrTh9rSUoxkhsiUsjnrHf
ysMM1GM1CkZLH6HVKSGp
=He5z
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.