The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security problem in old nfs-server versions (DFN-CERT#41511).



-----BEGIN PGP SIGNED MESSAGE-----

Olaf Kirch wrote:
>
> I just got word from DFN-CERT that there is a bug in pre-2.2beta6
> versions of nfsd that can have serious security consequences. These
> old versions did not treat lines containing only white space properly.
> These lines would magially turn into a world-wide export of the current
> working directory, with default permissions (read-only at least).
> The report quoted to me by dfn-cert claims that at least DLD is concerned.
> I would ask other vendors to make sure they use a more recent version
> of unfsd.  (Note that this release dates back to December 1995).
>
> Unfortunately, I don't have the email address of anyone representing DLD.
> If anyone who has an address could please forward the message and send
> me back the address so I can add it to my list? However, please don't
> post this information to linux-security or usenet yet since I'm not
> sure what DFN-CERT is up to with regard to this.

We would like to know which distributions are vulnerable before distributing
the vulnerability report. This is just to avoid confusion among the users
who will ask for information regarding the distribution they are using.

Once this information is available (or at least from some maintainers of
the various Linux distributions) we would like to inform our constituency
about the problem and the solution. A very rough draft of such an announcement
is appended at the end of this email.
If there is an advisory from the Linux community then we would distribute
that one.

> Finally, is there any interest in a linux vendor security list where we
> can share security information without releasing it to the masses and
> create joint announcements (the way the Linux Security FAQ updates used
> to work?). Of course, I'd also want to include prominent security guys
> from the Linux community.  I'd volunteer to set up this list and handle
> subscriptions.

- From the view of the DFN-CERT we would really appreciate such a mailing
list. The problem with linux vulnerabilities is the huge number of different
Linux distributions. If there is a single contact address for reporting
security problems and get them fixed in the different distributions then
this would be very helpful.

Bye,
  Wolfgang Ley (DFN-CERT)
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley@cert.dfn.de   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day

===========================================================================

Description:

  A vulnerability exists in the Linux nfsd prior version 2.2beta6.
  Due to incorrect parsing of the /etc/exports file the root filesystem
  maybe exported without restrictions if the /etc/exports file does
  contain empty lines.

Impact:

  This vulnerability permits remote attackers to access the / filesystem
  via NFS.

Solution:

  If you're running an nfsd prior version 2.2beta6 then you should upgrade
  to the current version. You can check the version number of your nfsd by
  using the command "/usr/sbin/rpc.nfsd -v".
  As a workaround you should assure that your /etc/exports file does not
  contain any empty lines (lines with spaces and/or tabs only).

  A newer nfsd version which fixes this security problem is available via
  anonymous FTP from
  ftp://ftp.mathematik.th-darmstadt.de/pub/linux/okir/nfs-server-2.2beta26.tar.gz

  Information from the following Linux distributions is available:

  [...]

  If the Linux system you're using is not listed then please contact your
  distributor directly or upgrade to the listed NFS server 2.2beta26.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBM8nzwAQmfXmOCknRAQG97gP9HqN0SvTWtTJ8KKQJZS5g0T1dc5ruqwC+
kpkOdqFt9uqfoUSEs1fa/gUy0iaPuE4esuxILtvnH3GvcS1jYha8dQvlX5DIKQdu
OWZK9uJq4nZ4XrKRQwhxndiGssP97mXqH7tbwbEq3v9wrb/PgrG0/aWZd7afny+K
PUeD/t1ulO0=
=lrdB
-----END PGP SIGNATURE-----


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .