nfs-utils: CVE-2013-1923: rpc.gssd is vulnerable to DNS spoofing

Debian Bug report logs - #707401
nfs-utils: CVE-2013-1923: rpc.gssd is vulnerable to DNS spoofing

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nfs-utils: CVE-2013-1923: rpc.gssd is vulnerable to DNS spoofing

Date: Thu, 09 May 2013 10:15:30 +0200

Package: nfs-utils
Version: 1:1.2.2-4squeeze2 
Severity: important
Tags: security
Control: found -1 1:1.2.6-3

Hi,

the following vulnerability was published for nfs-utils.

CVE-2013-1923[0]:
rpc.gssd is vulnerable to DNS spoofing

An explanation is also available at [1]. New upstream version 1.2.8
avoids DNS reverse lookups on server names[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1923
    http://security-tracker.debian.org/tracker/CVE-2013-1923
[1] http://ssimo.org/blog/id_015.html
[2] https://www.kernel.org/pub/linux/utils/nfs-utils/1.2.8/1.2.8-ChangeLog

Regards,
Salvatore

Message #12 received at 707401-close@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@zomers.be>

To: 707401-close@bugs.debian.org

Subject: Bug#707401: fixed in nfs-utils 1:1.2.8-1

Date: Fri, 10 May 2013 12:47:45 +0000

Source: nfs-utils
Source-Version: 1:1.2.8-1

We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 707401@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@zomers.be> (supplier of updated nfs-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 10 May 2013 14:27:47 +0200
Source: nfs-utils
Binary: nfs-kernel-server nfs-common
Architecture: source amd64
Version: 1:1.2.8-1
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Luk Claes <luk@zomers.be>
Description: 
 nfs-common - NFS support files common to client and server
 nfs-kernel-server - support for NFS kernel server
Closes: 657188 682709 685306 690181 707258 707401 707589
Changes: 
 nfs-utils (1:1.2.8-1) unstable; urgency=low
 .
   * New upstream version (Closes: #707258).
     - Only amend extra-options on a successful vers=4 mount
       (Closes: #690181).
     - Use default domain (Closes: #657188).
     - Fix is-subdirectory to understand '/' (Closes: #685306).
     - Drop 18-osd_login-sbindir: incorporated upstream.
     - Avoid DNS reverse lookups on server names (Closes: #707401).
     - auth_unix_ip should downcall on error (Closes: #682709).
     - Refresh 11-532048-reduce-verbosity.
   * Use rpcbind's rpcinfo everywhere (Closes: #707589).
   * Add nfsdcltrack to nfs-kernel-server.
   * Add libsqlite3-dev build dependency for nfsdcltrack.
   * Do not try to install dropped ChangeLog.
   * Adjust version of replaces due to manpage move.
Checksums-Sha1: 
 2d7394e953d136b3e3a0f85410549b14743644a8 2261 nfs-utils_1.2.8-1.dsc
 b65fc6f0872219583a142594d9c3d7deaf748457 2747577 nfs-utils_1.2.8.orig.tar.bz2
 4625a7278d1030ce00a0f6675c9ffd235836bf09 35978 nfs-utils_1.2.8-1.debian.tar.bz2
 e372b7460de1ad65b8210cbc9aa73a7e0c85afc8 146158 nfs-kernel-server_1.2.8-1_amd64.deb
 0bd5085d756c7f202afe858843c53a64c836bd37 270740 nfs-common_1.2.8-1_amd64.deb
Checksums-Sha256: 
 8cead4baa468bec79d9fcdd660aebccbd901b7f5eb481968758246fdd37f10b9 2261 nfs-utils_1.2.8-1.dsc
 1cc8f02a633eddbf0a1d93421f331479c4cdab4c5ab33b8bf8c7c369f9156ac6 2747577 nfs-utils_1.2.8.orig.tar.bz2
 a8e7387bce5bf1ec95baaf29c1bcec1f7925790be283a782fbd6886153d1311a 35978 nfs-utils_1.2.8-1.debian.tar.bz2
 1047b4c39e830177f2ffa942a5e386a3358976d8025f1f91ba0805ce389cde9d 146158 nfs-kernel-server_1.2.8-1_amd64.deb
 b367c32ae913fc4f841b906b58dfbcef9cbc166167c50896682d740cf1cb23ff 270740 nfs-common_1.2.8-1_amd64.deb
Files: 
 cf2e08176d3df966044cb4d85e103f45 2261 net standard nfs-utils_1.2.8-1.dsc
 6e7d97de51e428a0b8698c16ca23db77 2747577 net standard nfs-utils_1.2.8.orig.tar.bz2
 237e351895593f4327839e403642a9c6 35978 net standard nfs-utils_1.2.8-1.debian.tar.bz2
 6908075b673ff28f143288162dfccaca 146158 net optional nfs-kernel-server_1.2.8-1_amd64.deb
 35d8be301a751fe0000b7a5750f4b291 270740 net standard nfs-common_1.2.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRjOt+AAoJECEnNxubsjBiV68P/Ahm/gfQdwHVSfFFRj900i91
jpKRKly6tGeUbfW6dzz2wMkTzszy9c86CdZFMO2LdGlyGYRBF9y5Hg8GsFgNPAxs
6m/Qt4klVlSg4FZUkOgD7tdiI6EVFl0CWsIcFMvQ2DyxUZGoaPKF2It7mcU1Ot3v
xFaYOxGs56ft8KWJg3NkDxRYr6gJp/yK9YB13dbbmWpx3Iw57w+NYHFbCZqKR/tR
NXC/Td2zeuaBMcG9vPHvNCrPKZ2Lo9V8ve+7gbpSzMgNtecbOOn8vR4hkT/MGXkN
NEw8nMRDJPV2KKeMa5guds6+Ua1dqz2gSwSOy3gmFf0rQIKtUt129NlGEBtJLAfl
dYf/GweTQvarbeR7zR8DteaXUOY9Yv55VjypdIVtM4qsjorM7VguqYR7gczC7/cR
bGpBRt5n/zWnFzO/jgZsQMsxzaWPirSVjR7uS8raIV1nMM8yq/+ad9Fge+XRnsDi
VCQ+lNrJTk2c84FPoDYY298GU/JWJKesus2VEnm3BQf0Khn+3ki0q7cBGIZRHNam
nkCOVNF2sl2fJLKXJP3qZ845dsFgKUXBCOgr4PSUQvAdhhmpEwtRSaersInkwwIQ
VcF580X6sr9VlEGgVreYdg5ANyr0fact9mD4G6/3SG5lWgHG9XmuZ8CGNYEnmPT3
ECVpNuPBYLTsRvW1ACrq
=gn7c
-----END PGP SIGNATURE-----

Message #17 received at 707401-close@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 707401-close@bugs.debian.org

Subject: Bug#707401: fixed in nfs-utils 1:1.2.6-4

Date: Tue, 21 May 2013 22:17:07 +0000

Source: nfs-utils
Source-Version: 1:1.2.6-4

We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 707401@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated nfs-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 11 May 2013 14:37:13 +0200
Source: nfs-utils
Binary: nfs-kernel-server nfs-common
Architecture: source amd64
Version: 1:1.2.6-4
Distribution: stable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 nfs-common - NFS support files common to client and server
 nfs-kernel-server - support for NFS kernel server
Closes: 675188 682709 707401 707720
Changes: 
 nfs-utils (1:1.2.6-4) stable; urgency=low
 .
   * mountd: auth_unix_ip should downcall on error to prevent
     hangs (Closes: #682709).
   * Avoid DNS reverse resolution fixes CVE-2013-1923 (Closes: #707401).
   * Set default domain (Closes: #675188).
   * Fix getopt handling for -R option (Closes: #707720).
Checksums-Sha1: 
 e12d056ac347f2ca2bdd71af3f537d770b5dbb4d 2244 nfs-utils_1.2.6-4.dsc
 ecce84b044fca647feb30bec64fdf39427e776ad 39545 nfs-utils_1.2.6-4.debian.tar.bz2
 d54414ec2b0696b93d8e53cda1341eb6f0b48f35 156260 nfs-kernel-server_1.2.6-4_amd64.deb
 6e22b10977d81da12bf759ea25dc97f3760e0c02 287812 nfs-common_1.2.6-4_amd64.deb
Checksums-Sha256: 
 96e6be52317f30ad86e8dd54eebf4eda403c44e4fba3fbb17ea2aacdddfbfdb3 2244 nfs-utils_1.2.6-4.dsc
 3b0ddf1c48d27aaedfd7c15e30301bbbce192024c30978107bfb6ee3ec421611 39545 nfs-utils_1.2.6-4.debian.tar.bz2
 5cd88fe13c4e42fefe780b34d4f53f01d32159c6235d17d18e6cac9739638430 156260 nfs-kernel-server_1.2.6-4_amd64.deb
 54eb48243394718447bffee1dca72e9240ecd5563af46d73ff926d00b0c8f51e 287812 nfs-common_1.2.6-4_amd64.deb
Files: 
 d47f0e26e17d2bd12efe0cf5a6cf9f27 2244 net standard nfs-utils_1.2.6-4.dsc
 37dba20026ed7f6778ec1ef85a254b70 39545 net standard nfs-utils_1.2.6-4.debian.tar.bz2
 07c75214386fad203bf86c70f4ba64e4 156260 net optional nfs-kernel-server_1.2.6-4_amd64.deb
 e7167682ea97c27f8dd75bfd9c673816 287812 net standard nfs-common_1.2.6-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRjj3+AAoJECEnNxubsjBisf8P/iuoViemcgKVDo6tbyn3CoR+
qmLTVYQ3vASdsmwC+FcijH39vG/U76hSd3GWJ+9vni7stqaCApJSTpZJunKgD0zb
hiCTTxw6Q6aCSgsd0ENNd0IGIoRF/ofyXsatN3TjzMjOCkQacBjdPLL4UTOpYG/W
cAbCnYQPcJaQNzS9fC1pLbf5WQ8n43aHRFXH91dZzxYYVS74UB4BwEZ17/IHWKS4
WbA0dZ5TPeor5LW1v4nVT3P3DjkjcPRZUcsSSgy26e/9XEWGMmqiQrdkl0QSWhHr
kFJKUGUQJ20Lo/YMjNTgIU1XjL2zIYkhjUJloa/xYGaKjeY+EpnULCXgZOwJ9oXy
mmw2TsevVZ2F+DLw4OvSVyImyugGKNaCZvcFgiA/SutdgS30hK+bIXaGg2lvcMjB
ISSLhPmC0qKLvpLnaEY7580SJ07Ady7dD/1d/D3KsIAqUNBjG4NuHs5mjIfvA2Gg
MiVSWUDhntlgVaFyzKUWeESmVshY2QHZhMuaKwfiJPOceH5C8EKFbzBZPehtvDkX
lDLSfxvzltqSNRpokeEhPZshLjF06R/9Ll2Le+C28UgN7DTrXbpmRiUylq0f75l+
7pHi291eV9qJT9lkAbUgcDZkCyUeZa0m7RGk79f/hkHl6fGaOujPDuIz8s9eHs4E
Ig73Rbl1PKRaIOT9k4iR
=z20X
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.