GNU bug report logs - #26781
rpcbind, libtirpc CVE-2017-8779

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26781 in the body.
You can then email your comments to 26781 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: rpcbind, libtirpc CVE-2017-8779
Date: Thu, 4 May 2017 21:32:27 -0400

[Message part 1 (text/plain, inline)]

These patches update libtirpc and rpcbind to the latest release and fix
CVE-2017-8779 ("rpcbomb").

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/

[0001-gnu-rpcbind-Update-to-0.2.4.patch (text/plain, attachment)]

[0002-gnu-libtirpc-Update-to-1.0.1.patch (text/plain, attachment)]

[0003-gnu-rpcbind-libtirpc-Fix-CVE-2017-8779.patch (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 26781 <at> debbugs.gnu.org (full text, mbox):

From: Kei Kebreau <kei <at> openmailbox.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 26781 <at> debbugs.gnu.org
Subject: Re: bug#26781: rpcbind, libtirpc CVE-2017-8779
Date: Thu, 04 May 2017 23:02:22 -0400

[Message part 1 (text/plain, inline)]

Leo Famulari <leo <at> famulari.name> writes:

> These patches update libtirpc and rpcbind to the latest release and fix
> CVE-2017-8779 ("rpcbomb").
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
> https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/

LGTM.

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 26781 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 26781 <at> debbugs.gnu.org
Subject: Re: bug#26781: rpcbind, libtirpc CVE-2017-8779
Date: Fri, 05 May 2017 09:56:44 +0200

Leo Famulari <leo <at> famulari.name> skribis:

> These patches update libtirpc and rpcbind to the latest release and fix
> CVE-2017-8779 ("rpcbomb").
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
> https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/

Excellent.  The 3 patches LGTM.

Thank you Leo!

Ludo’.

Message #16 received at 26781-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 26781-done <at> debbugs.gnu.org
Subject: Re: bug#26781: rpcbind, libtirpc CVE-2017-8779
Date: Fri, 5 May 2017 15:35:56 -0400

[Message part 1 (text/plain, inline)]

On Fri, May 05, 2017 at 09:56:44AM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
> 
> > These patches update libtirpc and rpcbind to the latest release and fix
> > CVE-2017-8779 ("rpcbomb").
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
> > https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/
> 
> Excellent.  The 3 patches LGTM.
> 
> Thank you Leo!

Thanks for the reviews! Pushed!

I sent a followup patch to update nfs-utils. Somebody who uses NFS
should review it.

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.