Summary: | <sys-apps/xinetd-2.3.15: ignores access restrictions (CVE-2012-0862) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0862 | ||
Whiteboard: | C4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Hans de Graaff
2012-06-13 06:15:08 UTC
Commit message: Version bump http://sources.gentoo.org/sys-apps/xinetd/xinetd-2.3.15.ebuild?rev=1.1 Thanks for the report, Hans. @base-system, may we proceed to stabilize =sys-apps/xinetd-2.3.15 ? CVE-2012-0862 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0862): builtins.c in Xinetd before 2.3.15 does not check the service type when the tcpmux-server service is enabled, which exposes all enabled services and allows remote attackers to bypass intended access restrictions via a request to tcpmux port 1. (In reply to comment #2) should be fine Arches, please test and mark stable: =sys-apps/xinetd-2.3.15 Target KEYWORDS="alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" amd64 stable x86 stable Stable for HPPA. arm stable alpha/ia64/m68k/s390/sh/sparc ppc done ppc64 stable, last arch done Thanks, folks. GLSA Vote: yes. Vote: NO! ...does not check the service type when the tcpmux-server service is enabled... So this seems to be C4 rather then B4 anyways. Defaults from from /etc/xinetd.d/tcpmux-server: service tcpmux { disable = yes Changing to C4. Closing noglsa. |