From ${URL} : Rpcbind does not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb. References: http://seclists.org/oss-sec/2017/q2/209 https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Bump done, will need to be re-stabilized. Should be fine to stabilize, those patches look safe. net-libs/libtirpc-1.0.1-r1 net-nds/rpcbind-0.2.4-r1 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d968a5aa9ebfa6bc766bed99370e164f08b9a0dc https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eae6e7a80bc2934ae1557731fc0ad71cd92af99b
amd64 stable
Stable for HPPA.
x86 stable
sparc stable
Stable on alpha.
ppc ppc64 stable
arm stable
Remaining arches are not part of security supported architectures, proceeding with security. Arches please stabilize as soon as possible to secure package. GLSA Vote: Yes New GLSA Request filed.
ia64 please finish stabilization. Maintainer(s), please drop the vulnerable version(s). GLSA is going to be released.
This issue was resolved and addressed in GLSA 201706-07 at https://security.gentoo.org/glsa/201706-07 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architecture.
There's a typo in glsa-201706-07.xml / on glsa page, rpcbind affected/unaffected version is set to "0.2.4-r", which breaks glsa-check -t all
(In reply to Valeriy Malov from comment #13) > There's a typo in glsa-201706-07.xml / on glsa page, rpcbind > affected/unaffected version is set to "0.2.4-r", which breaks glsa-check -t > all Thanks! GLSA fixed.
ia64 stable. Maintainer(s), please cleanup.
@base-system, can we please clean?
please drop <net-nds/rpcbind-0.2.4-r1!
Tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9392b103397ac6227b8a141d8a262e86bfcc239e