Date:         Wed, 11 Nov 2009 15:42:29 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Low: nfs-utils on SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Low: nfs-utils security and bug fix update
Issue date:	2009-09-02
CVE Names:	CVE-2008-4552


It was discovered that nfs-utils did not use tcp_wrappers correctly.
Certain hosts access rules defined in "/etc/hosts.allow" and
"/etc/hosts.deny" may not have been honored, possibly allowing remote
attackers to bypass intended access restrictions. (CVE-2008-4552)

This updated package also fixes the following bugs:

* the "LOCKD_TCPPORT" and "LOCKD_UDPPORT" options in 
"/etc/sysconfig/nfs" were not honored: the lockd daemon continued to use 
random ports. With this update, these options are honored. (BZ#434795)

* it was not possible to mount NFS file systems from a system that has
the "/etc/" directory mounted on a read-only file system (this could 
occur on systems with an NFS-mounted root file system). With this 
update, it is possible to mount NFS file systems from a system that has 
"/etc/" mounted on a read-only file system. (BZ#450646)

* arguments specified by "STATDARG=" in "/etc/sysconfig/nfs" were 
removed by the nfslock init script, meaning the arguments specified were 
never passed to rpc.statd. With this update, the nfslock init script no 
longer removes these arguments. (BZ#459591)

* when mounting an NFS file system from a host not specified in the NFS
server's "/etc/exports" file, a misleading "unknown host" error was 
logged on the server (the hostname lookup did not fail). With this 
update, a clearer error message is provided for these situations. 
(BZ#463578)

* the nhfsstone benchmark utility did not work with NFS version 3 and 4.
This update adds support to nhfsstone for NFS version 3 and 4. The new
nhfsstone "-2", "-3", and "-4" options are used to select an NFS version
(similar to nfsstat(8)). (BZ#465933)

* the exportfs(8) manual page contained a spelling mistake, "djando", in
the EXAMPLES section. (BZ#474848)

* in some situations the NFS server incorrectly refused mounts to hosts
that had a host alias in a NIS netgroup. (BZ#478952)

* in some situations the NFS client used its cache, rather than using
the latest version of a file or directory from a given export. This 
update adds a new mount option, "lookupcache=", which allows the NFS 
client to control how it caches files and directories. Note: The 
Scientific Linux 2.6.18-164 or later kernel update  must be installed in 
order to use the "lookupcache=" option. Also, "lookupcache=" is 
currently only available for NFS version 3. Support for NFS version 4 
may be introduced in future Scientific Linux 5 updates.  (BZ#489335)

After installing this update, the nfs service will be restarted 
automatically.

Note: This update is already in SL 5.4

SL 5.x

     SRPMS:
nfs-utils-1.0.9-42.el5.src.rpm
     i386:
nfs-utils-1.0.9-42.el5.i386.rpm
nfs-utils-lib-1.0.8-7.6.el5.i386.rpm
nfs-utils-lib-devel-1.0.8-7.6.el5.i386.rpm
     x86_64:
nfs-utils-1.0.9-42.el5.x86_64.rpm
nfs-utils-lib-1.0.8-7.6.el5.i386.rpm
nfs-utils-lib-1.0.8-7.6.el5.x86_64.rpm
nfs-utils-lib-devel-1.0.8-7.6.el5.i386.rpm
nfs-utils-lib-devel-1.0.8-7.6.el5.x86_64.rpm

-Connie Sieh
-Troy Dawson