Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-108-1 nfs-utils

Debian Security Advisory

DLA-108-1 nfs-utils -- LTS security update

Date Reported:

13 Dec 2014

Affected Packages:

nfs-utils

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-3541.

More information:

In the past, rpc.statd posted SM_NOTIFY requests using the same socket it used for sending downcalls to the kernel. To receive replies from remote hosts, the socket was bound to INADDR_ANY. To prevent unwanted data injection, bind this socket to the loopback address.

For Debian 6 Squeeze, these issues have been fixed in nfs-utils version 1:1.2.2-4squeeze3