CVE-2008-4552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4552): nfs-utils 1.0.9, and possibly other versions before 1.1.3, invokes the host_ctl function with the wrong order of arguments, which causes TCP Wrappers to ignore netgroups and allows remote attackers to bypass intended access restrictions.
Seems that 1.0.9 up to 1.1.2 is vulnerable, we should stabilize 1.1.4 and mask the others, I guess. net-fs, are there reasons why we have only 1.0.12-r1 and 1.1.0-r1 stable? Is #235462 fixed in 1.1.4?
Mike, would you recommend on stabling 1.1.3 or 1.1.4 for this bug? For 1.1.4, bug 243066 might need fixing first.
1.1.3 should be fine
Arches, please test and mark stable: =net-fs/nfs-utils-1.1.3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
# emerge -1av =net-fs/nfs-utils-1.1.3 These are the packages that would be merged, in order: Calculating dependencies \ !!! All ebuilds that could satisfy "sys-libs/e2fsprogs-libs" have been masked. !!! One of the following masked packages is required to complete your request: - sys-libs/e2fsprogs-libs-1.41.3 (masked by: ~x86 keyword) - sys-libs/e2fsprogs-libs-1.41.2 (masked by: ~x86 keyword) - sys-libs/e2fsprogs-libs-1.41.1 (masked by: ~x86 keyword) - sys-libs/e2fsprogs-libs-1.41.0 (masked by: ~x86 keyword) should we take e2fsprogs-libs-1.41.1 (>30 days in the tree)?
i think e2fsprogs-libs have been around long enough to stabilize ... that said, current versions of nfs-utils have an unstated depend on e2fsprogs-libs, so we could in theory just drop the depend in 1.1.3 since it wouldnt be a regression for stable ...
amd64/x86 stable
ppc64 stable by ranger
Stable for HPPA.
ppc stable
(In reply to comment #3) > 1.1.3 should be fine I am not sure if this should be moved to a new bug, but 1.1.3 seems to break nfsroot under Gentoo. /etc/init.d/root fails to remount root filesystem in read-write mode. The command is the following : mount / -n -o remount,rw and the result is : mount.nfs: Invalid argument Any idea if the parameters somehow changed for 1.1.3 and if the root script needs an update?
Maybe related: http://bugs.gentoo.org/show_bug.cgi?id=198601
alpha/ia64 stable
sparc: *ping*
sparc stable sorry for the delay, had to wait for portage-2.1.6 for e2fsprogs-libs
Ready for vote, I vote YES.
Yes, too. Request filed.
GLSA 200903-06