Debian Security Advisory
DLA-108-1 nfs-utils -- LTS security update
- Date Reported:
- 13 Dec 2014
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2012-3541.
- More information:
In the past, rpc.statd posted SM_NOTIFY requests using the same socket it used for sending downcalls to the kernel. To receive replies from remote hosts, the socket was bound to INADDR_ANY. To prevent unwanted data injection, bind this socket to the loopback address.
For Debian 6
Squeeze, these issues have been fixed in nfs-utils version 1:1.2.2-4squeeze3