Debian Security Advisory

DLA-108-1 nfs-utils -- LTS security update

Date Reported:
13 Dec 2014
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2012-3541.
More information:

In the past, rpc.statd posted SM_NOTIFY requests using the same socket it used for sending downcalls to the kernel. To receive replies from remote hosts, the socket was bound to INADDR_ANY. To prevent unwanted data injection, bind this socket to the loopback address.

For Debian 6 Squeeze, these issues have been fixed in nfs-utils version 1:1.2.2-4squeeze3