Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.1096 -- [UNIX/Linux][Ubuntu] nfs-utils vulnerability 5 December 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nfs-utils Publisher: Ubuntu Operating System: UNIX variants (UNIX, Linux, OSX) Ubuntu Impact: Inappropriate Access Access: Remote/Unauthenticated CVE Names: CVE-2008-4552 Original Bulletin: http://www.ubuntu.com/usn/usn-687-1 Comment: This advisory references vulnerabilities in products which run on platforms other than Ubuntu. It is recommended that administrators running ufs-utils check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- =========================================================== Ubuntu Security Notice USN-687-1 December 04, 2008 nfs-utils vulnerability CVE-2008-4552 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: nfs-kernel-server 1:1.0.7-3ubuntu2.1 Ubuntu 7.10: nfs-kernel-server 1:1.1.1~git-20070709-3ubuntu1.1 Ubuntu 8.04 LTS: nfs-kernel-server 1:1.1.2-2ubuntu2.2 Ubuntu 8.10: nfs-kernel-server 1:1.1.2-4ubuntu1.1 After a standard system upgrade you need to restart nfs services to effect the necessary changes. Details follow: It was discovered that nfs-utils did not properly enforce netgroup restrictions when using TCP Wrappers. Remote attackers could bypass the netgroup restrictions enabled by the administrator and possibly gain access to sensitive information. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.0.7-3ubuntu2.1.diff.gz Size/MD5: 26729 5926412b5a7d5318b1b90747cade6294 http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.0.7-3ubuntu2.1.dsc Size/MD5: 698 28b88a044214b04388c55c9e206b48c5 http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.0.7.orig.tar.gz Size/MD5: 401155 73d8af4367c79f31f68a4ca45422fd17 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.0.7-3ubuntu2.1_amd64.deb Size/MD5: 105890 d8e004d18150e3d6e91575e91b9f3c0c http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.0.7-3ubuntu2.1_amd64.deb Size/MD5: 125960 7ddc8bb36714d4ee3db12ce91adbda22 http://security.ubuntu.com/ubuntu/pool/universe/n/nfs-utils/nhfsstone_1.0.7-3ubuntu2.1_amd64.deb Size/MD5: 45058 d7f5a96c16456e520a28e0c0cb31cb0c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.0.7-3ubuntu2.1_i386.deb Size/MD5: 94970 37cc41d6a9ad5505cb32528f14ec647f http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.0.7-3ubuntu2.1_i386.deb Size/MD5: 112816 e47956631dcb0c8980cd0f72a4e8428e http://security.ubuntu.com/ubuntu/pool/universe/n/nfs-utils/nhfsstone_1.0.7-3ubuntu2.1_i386.deb Size/MD5: 43208 c0a0ff484719033e7be7ef166d54602f powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.0.7-3ubuntu2.1_powerpc.deb Size/MD5: 107416 aac5f08b6f0f1fb5dea98a574d129225 http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.0.7-3ubuntu2.1_powerpc.deb Size/MD5: 123988 dac1ae13e726e5e8bdca56aae8ab2a23 http://security.ubuntu.com/ubuntu/pool/universe/n/nfs-utils/nhfsstone_1.0.7-3ubuntu2.1_powerpc.deb Size/MD5: 44786 b65159109f7d2f0678350194be9b25c8 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.0.7-3ubuntu2.1_sparc.deb Size/MD5: 96252 8628208ebf8634aeb657c1f99c34ec83 http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.0.7-3ubuntu2.1_sparc.deb Size/MD5: 114508 a96b1eab0b5a39e0062ad2c1592c2bd6 http://security.ubuntu.com/ubuntu/pool/universe/n/nfs-utils/nhfsstone_1.0.7-3ubuntu2.1_sparc.deb Size/MD5: 44092 fffba1487c5b3660c592bfe6e5bdc935 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.1~git-20070709-3ubuntu1.1.diff.gz Size/MD5: 30941 387a16c1bfc126fe5228b7cd7f895b47 http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.1~git-20070709-3ubuntu1.1.dsc Size/MD5: 1041 ee2f5835d47387259a1ffc509a1c800e http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.1~git-20070709.orig.tar.gz Size/MD5: 1207377 0c1a357290f5f233543bc942c0a006ad amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_amd64.deb Size/MD5: 187718 a21ea0964e11dc7437b31c8a24136a4e http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_amd64.deb Size/MD5: 158258 5245d20a87b1f265d699082fd3465cf0 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_i386.deb Size/MD5: 176422 90dcb97b35a35e59de12e1432c1ab276 http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_i386.deb Size/MD5: 148016 9f1a96121a13d0c89fed88ff4651600c lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_lpia.deb Size/MD5: 174424 09722999f8b92441488357e7d51b78be http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_lpia.deb Size/MD5: 147538 3983e3fa6588d37d350cd99441b6c2eb powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_powerpc.deb Size/MD5: 196470 d8ac43aff7c7099db1751dbe7e7064dc http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_powerpc.deb Size/MD5: 164396 668269dd69cbc4c3f51510b4fa41e9ef sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_sparc.deb Size/MD5: 179480 3e647339bec5baa0f94fd87a5569d8fa http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_sparc.deb Size/MD5: 149530 072323ce17f01390d48928254953af97 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2-2ubuntu2.2.diff.gz Size/MD5: 35143 8595826433437ca8d573aadecec55b9e http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2-2ubuntu2.2.dsc Size/MD5: 1022 c62bbac19283a7958350d308197562fe http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2.orig.tar.gz Size/MD5: 797386 76ee9274c2b867839427eba91b327f03 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_amd64.deb Size/MD5: 203396 e8caf55e52bd09522c911658c9208e0a http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_amd64.deb Size/MD5: 161652 0b2da0a86933e493142827ee3491f041 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_i386.deb Size/MD5: 190380 3365b806f003547556784dc460854acf http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_i386.deb Size/MD5: 150442 ae44f68055ff09b377dda8f77e7d7369 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_lpia.deb Size/MD5: 190708 56cff37c459c9bacecc0e19eac96493b http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_lpia.deb Size/MD5: 150870 0fa925b4b0417a78b81fd437978469ab powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_powerpc.deb Size/MD5: 212528 a92ea0106bf861d99eb2bcbb0e41e49c http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_powerpc.deb Size/MD5: 167720 2efce3bec09f1c42f577071a597236cb sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_sparc.deb Size/MD5: 193568 c82d3d388b1839ce31464b2941f9c9a3 http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_sparc.deb Size/MD5: 151834 6028d63bf61670986dd3ac84d82f8f7e Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2-4ubuntu1.1.diff.gz Size/MD5: 36776 80b7806275d3318009e26cdd4f21e80e http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2-4ubuntu1.1.dsc Size/MD5: 1426 d54ccf3d5cc03325778b2197597eb3b4 http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2.orig.tar.gz Size/MD5: 797386 76ee9274c2b867839427eba91b327f03 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_amd64.deb Size/MD5: 206234 8fade4ffc3b54967b451601ebe3cd783 http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_amd64.deb Size/MD5: 163432 52da66c1d20b506f83794d1116d7197f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_i386.deb Size/MD5: 191928 daf9c6e085ae1dc0677dd86c7946aac9 http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_i386.deb Size/MD5: 151532 87df37c719bd84c7520b0dfa86b9587d lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_lpia.deb Size/MD5: 190668 8d2b6e20721ce687cb179b755e36d680 http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_lpia.deb Size/MD5: 151770 701f49fcee4e0d9c4db0ddba416a80bf powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_powerpc.deb Size/MD5: 210084 3cddb9b535c4266bc418d83c3c68e817 http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_powerpc.deb Size/MD5: 165774 e797caaae77e93b657884c8076da8742 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_sparc.deb Size/MD5: 195372 3026036061bc3138387bb29a81dc4836 http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_sparc.deb Size/MD5: 153086 ccddafa24f7ce6182616c995b2c90603 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSTiuryh9+71yA2DNAQIkZQP/WtWufqtfFkqaixeyHhoZ9ZyGggXSDs4Z 5iAbw+J+g0sDOgiOTdfIv6r3dImXZAq7PoO/zddppOBW3csb6pIJptaqFumo64k+ ogMRCmlWR6wH7Kt69nRltu8GzrStoZwebTlZaLWgAtlqagGM303pisOGfdn39rU8 CepdXLritaE= =qc44 -----END PGP SIGNATURE-----