SciLinux: CVE-2008-4552 Low: nfs-utils SL5.x i386/x86_64
Summary
Date: Wed, 11 Nov 2009 15:42:29 -0600Reply-To: Troy DawsonSender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Low: nfs-utils on SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov" Synopsis: Low: nfs-utils security and bug fix updateIssue date: 2009-09-02CVE Names: CVE-2008-4552It was discovered that nfs-utils did not use tcp_wrappers correctly.Certain hosts access rules defined in "/etc/hosts.allow" and"/etc/hosts.deny" may not have been honored, possibly allowing remoteattackers to bypass intended access restrictions. (CVE-2008-4552)This updated package also fixes the following bugs:* the "LOCKD_TCPPORT" and "LOCKD_UDPPORT" options in "/etc/sysconfig/nfs" were not honored: the lockd daemon continued to use random ports. With this update, these options are honored. (BZ#434795)* it was not possible to mount NFS file systems from a system that hasthe "/etc/" directory mounted on a read-only file system (this could occur on systems with an NFS-mounted root file system). With this update, it is possible to mount NFS file systems from a system that has "/etc/" mounted on a read-only file system. (BZ#450646)* arguments specified by "STATDARG=" in "/etc/sysconfig/nfs" were removed by the nfslock init script, meaning the arguments specified were never passed to rpc.statd. With this update, the nfslock init script no longer removes these arguments. (BZ#459591)* when mounting an NFS file system from a host not specified in the NFSserver's "/etc/exports" file, a misleading "unknown host" error was logged on the server (the hostname lookup did not fail). With this update, a clearer error message is provided for these situations. (BZ#463578)* the nhfsstone benchmark utility did not work with NFS version 3 and 4.This update adds support to nhfsstone for NFS version 3 and 4. The newnhfsstone "-2", "-3", and "-4" options are used to select an NFS version(similar to nfsstat(8)). (BZ#465933)* the exportfs(8) manual page contained a spelling mistake, "djando", inthe EXAMPLES section. (BZ#474848)* in some situations the NFS server incorrectly refused mounts to hoststhat had a host alias in a NIS netgroup. (BZ#478952)* in some situations the NFS client used its cache, rather than usingthe latest version of a file or directory from a given export. This update adds a new mount option, "lookupcache=", which allows the NFS client to control how it caches files and directories. Note: The Scientific Linux 2.6.18-164 or later kernel update must be installed in order to use the "lookupcache=" option. Also, "lookupcache=" is currently only available for NFS version 3. Support for NFS version 4 may be introduced in future Scientific Linux 5 updates. (BZ#489335)After installing this update, the nfs service will be restarted automatically.Note: This update is already in SL 5.4SL 5.x SRPMS:nfs-utils-1.0.9-42.el5.src.rpm i386:nfs-utils-1.0.9-42.el5.i386.rpmnfs-utils-lib-1.0.8-7.6.el5.i386.rpmnfs-utils-lib-devel-1.0.8-7.6.el5.i386.rpm x86_64:nfs-utils-1.0.9-42.el5.x86_64.rpmnfs-utils-lib-1.0.8-7.6.el5.i386.rpmnfs-utils-lib-1.0.8-7.6.el5.x86_64.rpmnfs-utils-lib-devel-1.0.8-7.6.el5.i386.rpmnfs-utils-lib-devel-1.0.8-7.6.el5.x86_64.rpm-Connie Sieh-Troy Dawson