[2380] in linux-security and linux-alert archive
[linux-security] Statd vulnerability [RHSA-2000:043-02]
daemon@ATHENA.MIT.EDU (Jan Kasprzak)
Wed Jul 19 11:55:47 2000
From: Jan Kasprzak <kas@informatics.muni.cz>
Date: Wed, 19 Jul 2000 10:28:16 +0200
To: linux-security@redhat.com
Message-ID: <20000719102816.D708@informatics.muni.cz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Resent-From: linux-security@redhat.com
Hello, world!\n
In recent advisory [RHSA-2000:043-02] Red Hat describes
the vulnerability in rpc.statd and the fix for this. There is a problem
with this advisory, though: the proposed solution is to upgrade
nfs-utils using "rpm -Uvh .../nfs-utils*rpm" command. Beware that
running this command _DOES_NOT_ restart the already-running
stat-daemon, so your machine remains vulnerable until rpc.statd is
restarted or machine is rebooted.
You have to run "killall rpc.statd" and then
"/sbin/rpc.statd", if you have stat-daemon running on your machine.
I think Red Hat should modify their advisory to expicitly state
the need of restarting rpc.statd by hand, or (better) update the
post-install script of nfs-utils to restart the running daemons on
upgrade -- something like this:
%post
if test -r /var/lock/subsys/nfs
then
/etc/rc.d/init.d/nfs restart
fi
if test -r /var/lock/subsys/nfsstat
then
/etc/rc.d/init.d/nfsstat restart
fi
-Yenya
--
\ Jan "Yenya" Kasprzak <kas at fi.muni.cz> http://www.fi.muni.cz/~kas/
\\ PGP: finger kas at aisa.fi.muni.cz 0D99A7FB206605D7 8B35FCDE05B18A5E //
\\\ Czech Linux Homepage: http://www.linux.cz/ ///
/// Vite jak Microsoft vyrabi nezavirovana CD? ... ... ... Pouziva UNIX! \\\
// http://support.microsoft.com/support/kb/articles/Q80/5/20.ASP \\
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
