The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security problem in old nfs-server versions (DFN-CERT#41511).

To: juphoff@nrao.edu
Subject: Re: Security problem in old nfs-server versions (DFN-CERT#41511).
From: Wolfgang Ley <ley@cert.dfn.de>
Date: Sun, 27 Jul 1997 19:30:05 +0200 (MET DST)
Cc: alan@cymru.net, ewt@redhat.com, okir@monad.swb.de, Alan.Cox@linux.org, security@caldera.com, rf@lst.de, bs@suse.de, adam@yggdrasil.com, mark@wgs.com, security@debian.org, heiko@unifix.de, florian@knorke.saar.de, yuriev@yuriev.com, R.E.Wolff@et.tudelft.nl, dfncert@cert.dfn.de
Delivered-to: bruce-lists--debian-private@lists.debian.org
Delivered-to: security@debian.org
In-reply-to: <199707151839.OAA15173@tarsier.cv.nrao.edu> from "Jeff Uphoff" at Jul 15, 97 02:39:15 pm
Organization: DFN-CERT (Computer Emergency Response Team, Germany)
Reply-to: dfncert@cert.dfn.de (DFN-CERT)
Resent-cc: recipient list not shown: ;
Resent-date: 28 Jul 1997 10:34:30 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"0BTE82.0.co5.sM7tp"@debian>
Resent-sender: debian-private-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

we haven't received new information regarding the status of the different
Linux distributions and their nfsd within the last week.
Appended is the current summary of the available information.

If anyone has more detailed information (like for DLD or Slackware)
then we would be interested to know that. Otherwise we are planning
to release this information on Thursday, 31st.

Corrections/Additions are welcomed.

Bye,
  Wolfgang Ley (DFN-CERT)
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley@cert.dfn.de   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day



===========================================================================
Description:

  A vulnerability exists in the Linux nfsd prior version 2.2beta6.
  Due to incorrect parsing of the /etc/exports file the root filesystem
  maybe exported without restrictions if the /etc/exports file contains
  empty lines.


Impact:

  This vulnerability permits remote attackers to access the / filesystem
  via NFS.


Solution:

  If you're running an nfsd prior version 2.2beta6 then you should upgrade
  to the current version. You can check the version number of your nfsd by
  using the command "/usr/sbin/rpc.nfsd -v".
  As a workaround you should assure that your /etc/exports file does not
  contain any empty lines (lines with spaces and/or tabs only).

  A newer nfsd version which fixes this security problem is available via
  anonymous FTP from
  ftp://ftp.mathematik.th-darmstadt.de/pub/linux/okir/nfs-server-2.2beta26.tar.gz

  Information from the following Linux distributions is available:

    Debian:
      Debian 1.1.9 (Mar 96) and later are not vulnerable as they are
      shipped with an nfsd of at least version 2.2beta6.

    S.u.S.E:
      S.u.S.E. Linux 4.3 (May 96) uses nfsd 2.2beta4 and is vulnerable.
      S.u.S.E. Linux 4.4 (Sep 96) and later are not vulnerable as they
      are shipped with nfsd 2.2beta16.

    Red Hat;
      Red Hat 3.0.3 uses nfsd 2.2beta4 and is vulnerable.
      Red Hat 4.0 and later uses nfsd 2.2beta16 and is not vulnerable.

    DLD (user report):
      DLD 5.01 Classic uses nfsd2.0 and is vulnerable.

    Slackware (user report):
      Slackware 3.1 ueses nfsd2.2beta2 and is vulnerable.

  If the Linux system you're using is not listed then please contact your
  distributor directly or upgrade to the listed NFS server 2.2beta26.


Credits:

  The DFN-CERT thanks Dr. Martin Lang (Univ. Hohenheim) for reporting this
  bug and Olaf Kirch for technical information and fixes.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBM9uFmgQmfXmOCknRAQHcnQQAiG81Nj+ny4N+ZQrU3PF0+XIh3WBPwFXb
Z1YcN3VnEkA22bfvarobgcy9S65gdroPHZnf7iNFfO5oXEClGDluacR2naC2zLEh
PQ1esM2N9E4wxq9S2FYI4vZw60jZd5rkD/QVRpuxizliCDqzTQ7XttpoIg82xg8N
KPDcb062JR0=
=i9eO
-----END PGP SIGNATURE-----


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

References:
- Re: Security problem in old nfs-server versions (DFN-CERT#41511).
  - From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>

Prev by Date: Re: pine will become a `virtual' package
Next by Date: Re: next approach: new non-free/contrib policy
Previous by thread: Re: Security problem in old nfs-server versions (DFN-CERT#41511).
Next by thread: Re: Security problem in old nfs-server versions (DFN-CERT#41511).
Index(es):
- Date
- Thread