Univention Bugzilla – Bug 44674
libtirpc: Multiple issues (4.2)
Last modified: 2018-05-08 14:56:23 CEST
Upstream Debian package version 0.2.5-1+deb8u1 fixes this issue:: * rpcbind does not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb. (CVE-2017-8779) libtirpc is a transport-independent RPC library used by rpcbind and other programs.
Mass-import from Debian-Security: python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553 YAML: git:bd6159834a..449aa5a7cf
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libtirpc_0.2.5-1.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/libtirpc_0.2.5-1+deb8u1.dsc @@ -1,3 +1,7 @@ +0.2.5-1+deb8u1 [Thu, 04 May 2017 16:05:42 +0200] Moritz Mühlenhoff <jmm@debian.org>: + + * CVE-2017-8779 + 0.2.5-1 [Tue, 09 Sep 2014 02:30:09 +0100] Anibal Monsalve Salazar <anibal@debian.org>: * New upstream version 0.2.5.
--- mirror/ftp/4.2/unmaintained/4.2-0/source/rpcbind_0.2.1-6+deb8u1A~4.2.0.201702281317.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/rpcbind_0.2.1-6+deb8u2A~4.2.3.201801251012.dsc @@ -1,7 +1,11 @@ -0.2.1-6+deb8u1A~4.2.0.201702281317 [Tue, 28 Feb 2017 13:17:58 +0100] Univention builddaemon <buildd@univention.de>: +0.2.1-6+deb8u2A~4.2.3.201801251012 [Thu, 25 Jan 2018 10:12:58 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-version-check-ucs420 + +0.2.1-6+deb8u2 [Thu, 04 May 2017 19:37:10 +0200] Moritz Mühlenhoff <jmm@debian.org>: + + * CVE-2017-8779 0.2.1-6+deb8u1 [Fri, 18 Sep 2015 18:45:15 +0200] Salvatore Bonaccorso <carnil@debian.org>:
* No UCS specific patches * Comparison to previously shipped version ok * Binary package update Ok * Advisory Ok
<http://errata.software-univention.de/ucs/4.2/353.html> <http://errata.software-univention.de/ucs/4.2/396.html>