[7702] in bugtraq
Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD
daemon@ATHENA.MIT.EDU (Scott Stone)
Wed Aug 19 05:25:43 1998
Date: Wed, 19 Aug 1998 17:56:47 +0900
Reply-To: Scott Stone <sstone@UME.PHT.CO.JP>
From: Scott Stone <sstone@UME.PHT.CO.JP>
X-To: RSI Advise <advise@enigma.repsec.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980818164731.10089B-100000@enigma.repsec.com>
On Tue, 18 Aug 1998, RSI Advise wrote:
> Announced: July 14, 1998
> Report code: RSI.0008.08-18-98.ALL.RPC_PCNFSD
> Report title: All rpc.pcnfsd
> Vulnerability: Please see the details section
> Vendor status: IBM contacted on August 3, 1998
> Hewlett Packard contacted on August 3, 1998
> Sun Microsystems contacted on August 3, 1998
> Slackware contacted on August 3, 1998
> Patch status: Linux and AIX patch information is provided below
> Platforms: Vulnerable:
>
> AIX: 4.0, 4.1, 4.2, 4.3
> HP-UX: 7.x, 8.x, 9.x, 10.x, 11.x
> SunOS: 4.1.3, 4.1.4
> Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6
> Redhat Linux: 4.0, 4.1, 4.2, 5.0, 5.1
> Slackware Linux: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5
> OSF: 3.2
OK, TurboLinux 2.0 is NOT vulnerable, and neither is Redhat 5.1 despite
what it says up there. Why? Because neither TL nor RH 5.1 even include
rpc.pcnfsd (checked by querying every RPM package in both distributions,
grepping for 'pcnfs' -- no matches).
If the intent was to say that the Linux version of rpc.pcnfsd (and the
AIX version, i suppose) have this vulnerability, then please don't go
naming distributions that don't include it, since it's not the
responsibility of the distribution vendor to fix a package that's not part
of the distribution.
Was notification sent to the author/maintainer(s) of rpc.pcnfsd?
--------------------------------------------------
Scott M. Stone <sstone@pht.com, sstone@turbolinux.com>
<sstone@pht.co.jp>
Head of TurboLinux Development/Systems Administrator
Pacific HiTech, Inc (USA) / Pacific HiTech, KK (Japan)
http://www.pht.com http://armadillo.pht.co.jp
http://www.pht.co.jp http://www.turbolinux.com
