[FLSA-2005:152871] Updated nfs-utils package fixes security issue

Pekka Savola pekkas at netcore.fi
Tue May 17 09:17:51 UTC 2005 

Hi,

Would it make sense to 'touch' the updates while they move from 
updates-testing to updates?

There are considerations either way, but doing so would make it easier 
to spot the new updates -- as in many times, an update has been 
sitting idle at updates-testing for even months, so doing a 'ls -lart' 
listing in the updates directory doesn't show the latest updates 
first..


On Thu, 12 May 2005, Marc Deslauriers wrote:
> ---------------------------------------------------------------------
>               Fedora Legacy Update Advisory
>
> Synopsis:          Updated nfs-utils package fixes security issue
> Advisory ID:       FLSA:152871
> Issue date:        2005-05-12
> Product:           Red Hat Linux, Fedora Core
> Keywords:          Bugfix
> CVE Names:         CAN-2004-1014
> ---------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------
> 1. Topic:
>
> An updated nfs-utils package that fixes a security issue is now
> available.
>
> The nfs-utils package provides a daemon for the kernel NFS server and
> related tools, providing a much higher level of performance than the
> traditional Linux NFS server used by most users.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 7.3 - i386
> Red Hat Linux 9 - i386
> Fedora Core 1 - i386
>
> 3. Problem description:
>
> SGI reported that the statd daemon did not properly handle the SIGPIPE
> signal. A misconfigured or malicious peer could cause statd to crash,
> leading to a denial of service. The Common Vulnerabilities and Exposures
> project (cve.mitre.org) has assigned the name CAN-2004-1014 to this
> issue.
>
> All users of nfs-utils should upgrade to this updated package, which
> resolves this issue.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To update all RPMs for your particular architecture, run:
>
> rpm -Fvh [filenames]
>
> where [filenames] is a list of the RPMs you wish to upgrade.  Only those
> RPMs which are currently installed will be updated.  Those RPMs which
> are not installed but included in the list will not be updated.  Note
> that you can also use wildcards (*.rpm) if your current directory *only*
> contains the desired RPMs.
>
> Please note that this update is also available via yum and apt.  Many
> people find this an easier way to apply updates.  To use yum issue:
>
> yum update
>
> or to use apt:
>
> apt-get update; apt-get upgrade
>
> This will start an interactive process that will result in the
> appropriate RPMs being upgraded on your system.  This assumes that you
> have yum or apt-get configured for obtaining Fedora Legacy content.
> Please visit http://www.fedoralegacy.org/docs for directions on how to
> configure yum and apt-get.
>
> 5. Bug IDs fixed:
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152871
>
> 6. RPMs required:
>
> Red Hat Linux 7.3:
> SRPM:
> http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/nfs-utils-0.3.3-6.73.1.legacy.src.rpm
>
> i386:
> http://download.fedoralegacy.org/redhat/7.3/updates/i386/nfs-utils-0.3.3-6.73.1.legacy.i386.rpm
>
> Red Hat Linux 9:
>
> SRPM:
> http://download.fedoralegacy.org/redhat/9/updates/SRPMS/nfs-utils-1.0.1-3.9.1.legacy.src.rpm
>
> i386:
> http://download.fedoralegacy.org/redhat/9/updates/i386/nfs-utils-1.0.1-3.9.1.legacy.i386.rpm
>
> Fedora Core 1:
>
> SRPM:
> http://download.fedoralegacy.org/fedora/1/updates/SRPMS/nfs-utils-1.0.6-1.1.legacy.src.rpm
>
> i386:
> http://download.fedoralegacy.org/fedora/1/updates/i386/nfs-utils-1.0.6-1.1.legacy.i386.rpm
>
> 7. Verification:
>
> SHA1 sum                                 Package Name
> ---------------------------------------------------------------------
>
> 8c5abe86dcf8c54d71fdb7431df159405fed830b
> redhat/7.3/updates/i386/nfs-utils-0.3.3-6.73.1.legacy.i386.rpm
> e6ed500f9a027f882410942eeba7807a02e7684a
> redhat/7.3/updates/SRPMS/nfs-utils-0.3.3-6.73.1.legacy.src.rpm
> 4b5a41715061a0d4e04d2b7310657ccf9cb1a3cb
> redhat/9/updates/i386/nfs-utils-1.0.1-3.9.1.legacy.i386.rpm
> 37e2bb721b47e569bd9e6ee922532f9d9e8dcde3
> redhat/9/updates/SRPMS/nfs-utils-1.0.1-3.9.1.legacy.src.rpm
> 8720cd5101f6d989e2f0695a54049561644ccd93
> fedora/1/updates/i386/nfs-utils-1.0.6-1.1.legacy.i386.rpm
> 7320e145578c605b50ab7dcfb46ff4c152b0487c
> fedora/1/updates/SRPMS/nfs-utils-1.0.6-1.1.legacy.src.rpm
>
> These packages are GPG signed by Fedora Legacy for security.  Our key is
> available from http://www.fedoralegacy.org/about/security.php
>
> You can verify each package with the following command:
>
>    rpm --checksig -v <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the sha1sum with the following command:
>
>    sha1sum <filename>
>
> 8. References:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1014
>
> 9. Contact:
>
> The Fedora Legacy security contact is <secnotice at fedoralegacy.org>. More
> project details at http://www.fedoralegacy.org
>
> ---------------------------------------------------------------------
>

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the fedora-legacy-list mailing list