Debian released an advisory for nbd, not sure wether we are affected. Kurt Fitzner discovered a buffer overflow in nbd, the network block device client and server that could potentially allow arbitrary cod on the NBD server.
base-system please advise and provide updated ebuilds if necessary. the CVE seems to be wrong, but maybe that helps: http://sourceforge.net/mailarchive/forum.php?thread_id=9201144&forum_id=40388
2.8.2-r1 in portage with fix
Arches please test and mark stable.
amd64 stable
Stable on ppc.
x86 stable
ready for glsa
Forwarding this from #gentoo: Yoe: Hi! I'm the maintainer of the NBD utilities (not in Gentoo; upstream, and in Debian). There's been a security issue with that one, and Gentoo is preparing a GLSA. Yoe: However, they're not doing it right; the update is preparing with 2.8.2, but you need at least 2.8.3 to plug the hole. Yoe: I sent mail to dercorney@gentoo.org with that information (who's declared it "ready for GLSA"), but I'd like to avoid that you guys get it wrong. Could anyone please add some comment to that bug? (1) it's CVE-2005-3534 rather than 3354, and (2) you need NBD 2.8.3 to plug the hole, rather than 2.8.2; the latter is still vulnerable.
Thanks for the headsup, the mail didn't make it through, i'm sorry (maybe because email addy was wrong?). We ship 2.8.2-r1, -r1 for revision one, including a security patch - so in fact we should be fine here and can keep the GLSA status. Updating CVE number.
GLSA 200512-14