Subject: | |
From: | |
Reply To: | |
Date: | Wed, 11 Nov 2009 15:42:29 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Synopsis: Low: nfs-utils security and bug fix update
Issue date: 2009-09-02
CVE Names: CVE-2008-4552
It was discovered that nfs-utils did not use tcp_wrappers correctly.
Certain hosts access rules defined in "/etc/hosts.allow" and
"/etc/hosts.deny" may not have been honored, possibly allowing remote
attackers to bypass intended access restrictions. (CVE-2008-4552)
This updated package also fixes the following bugs:
* the "LOCKD_TCPPORT" and "LOCKD_UDPPORT" options in
"/etc/sysconfig/nfs" were not honored: the lockd daemon continued to use
random ports. With this update, these options are honored. (BZ#434795)
* it was not possible to mount NFS file systems from a system that has
the "/etc/" directory mounted on a read-only file system (this could
occur on systems with an NFS-mounted root file system). With this
update, it is possible to mount NFS file systems from a system that has
"/etc/" mounted on a read-only file system. (BZ#450646)
* arguments specified by "STATDARG=" in "/etc/sysconfig/nfs" were
removed by the nfslock init script, meaning the arguments specified were
never passed to rpc.statd. With this update, the nfslock init script no
longer removes these arguments. (BZ#459591)
* when mounting an NFS file system from a host not specified in the NFS
server's "/etc/exports" file, a misleading "unknown host" error was
logged on the server (the hostname lookup did not fail). With this
update, a clearer error message is provided for these situations.
(BZ#463578)
* the nhfsstone benchmark utility did not work with NFS version 3 and 4.
This update adds support to nhfsstone for NFS version 3 and 4. The new
nhfsstone "-2", "-3", and "-4" options are used to select an NFS version
(similar to nfsstat(8)). (BZ#465933)
* the exportfs(8) manual page contained a spelling mistake, "djando", in
the EXAMPLES section. (BZ#474848)
* in some situations the NFS server incorrectly refused mounts to hosts
that had a host alias in a NIS netgroup. (BZ#478952)
* in some situations the NFS client used its cache, rather than using
the latest version of a file or directory from a given export. This
update adds a new mount option, "lookupcache=", which allows the NFS
client to control how it caches files and directories. Note: The
Scientific Linux 2.6.18-164 or later kernel update must be installed in
order to use the "lookupcache=" option. Also, "lookupcache=" is
currently only available for NFS version 3. Support for NFS version 4
may be introduced in future Scientific Linux 5 updates. (BZ#489335)
After installing this update, the nfs service will be restarted
automatically.
Note: This update is already in SL 5.4
SL 5.x
SRPMS:
nfs-utils-1.0.9-42.el5.src.rpm
i386:
nfs-utils-1.0.9-42.el5.i386.rpm
nfs-utils-lib-1.0.8-7.6.el5.i386.rpm
nfs-utils-lib-devel-1.0.8-7.6.el5.i386.rpm
x86_64:
nfs-utils-1.0.9-42.el5.x86_64.rpm
nfs-utils-lib-1.0.8-7.6.el5.i386.rpm
nfs-utils-lib-1.0.8-7.6.el5.x86_64.rpm
nfs-utils-lib-devel-1.0.8-7.6.el5.i386.rpm
nfs-utils-lib-devel-1.0.8-7.6.el5.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
|
|