Bug 46158 – rpcbind: Multiple issues (4.2)

Bug 46158 - rpcbind: Multiple issues (4.2)


Summary:	rpcbind: Multiple issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-3-errata
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:	http://metadata.ftp-master.debian.org...
Keywords:

Depends on:	44674
Blocks:
	Show dependency tree / graph

Reported:	2018-01-24 21:10 CET by Philipp Hahn
Modified:	2018-05-08 14:56 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2018-01-24 21:10:33 CET

rpcbind (0.2.1-6+deb8u2) jessie-security; urgency=medium

CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays

Comment 1 Philipp Hahn

2018-01-25 10:59:54 CET

Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf

Comment 2 Philipp Hahn

2018-02-27 09:11:18 CET

Must be released with or after Bug #46158:
>  The following packages have unmet dependencies:
>   rpcbind : Depends: libtirpc1 (>= 0.2.5-1+deb8u1) but it is not going to be installed

3b53be9028 Bug #46158: rpcbind 0.2.1-6+deb8u2

Comment 3 Quality Assurance

2018-05-04 16:55:09 CEST

--- mirror/ftp/4.2/unmaintained/4.2-0/source/rpcbind_0.2.1-6+deb8u1A~4.2.0.201702281317.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/rpcbind_0.2.1-6+deb8u2A~4.2.3.201801251012.dsc
@@ -1,7 +1,11 @@
-0.2.1-6+deb8u1A~4.2.0.201702281317 [Tue, 28 Feb 2017 13:17:58 +0100] Univention builddaemon <buildd@univention.de>:
+0.2.1-6+deb8u2A~4.2.3.201801251012 [Thu, 25 Jan 2018 10:12:58 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-version-check-ucs420
+
+0.2.1-6+deb8u2 [Thu, 04 May 2017 19:37:10 +0200] Moritz Mühlenhoff <jmm@debian.org>:
+
+  * CVE-2017-8779
 
 0.2.1-6+deb8u1 [Fri, 18 Sep 2015 18:45:15 +0200] Salvatore Bonaccorso <carnil@debian.org>:

Comment 4 Arvid Requate

2018-05-07 11:32:16 CEST

* All UCS specific patches applied during rebuilt:
  4.2-0-0-ucs/0.2.1-6+deb8u2-errata4.2-3/0001-version-check-ucs420.patch
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok (also references Bug #44674)

Comment 5 Arvid Requate

2018-05-08 14:56:56 CEST

<http://errata.software-univention.de/ucs/4.2/396.html>