| Summary: | <sys-block/nbd-3.5: Improper Access Restriction (CVE-2013-6410) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | base-system |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1035998 | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Commit message: Version bump http://sources.gentoo.org/sys-block/nbd/files/nbd-3.5-gznbd-printf-u64.patch?rev=1.1 http://sources.gentoo.org/sys-block/nbd/files/nbd-3.5-gznbd-zlib.patch?rev=1.1 http://sources.gentoo.org/sys-block/nbd/nbd-3.5.ebuild?rev=1.1 Arches, please test and mark stable: =sys-block/nbd-3.5 Target keywords : "amd64 arm ppc ppc64 x86" amd64 stable x86 stable ppc stable ppc64 stable arm stable. Maintainer(s), please cleanup. Security, please vote. Vulnerable packages still in Tree. Maintainer(s), please drop the vulnerable version. GLSA Vote: No Maintainer(s), please drop the vulnerable version. Vulnerable versions have been in tree since December of 2013. NO too, keeping open for cleanup. Maintainer(s): Ping on cleanup! Vulnerable versions have been removed a while ago. Resolving as it's marked as noglsa. |
From ${URL} : nbd-server has the ability to deny connection requests to clients unless their IP addresses are listed in a tcpwrappers-style configuration file. Due to incorrect use of strncmp() in the parser for this file, however, it would allow clients to connect so long as their IP address in ASCII representation would start with something in the ACL file; e.g., 198.51.100.12 would be allowed if 198.51.100.1 was listed. References: http://seclists.org/oss-sec/2013/q4/366 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.