UbuntuUpdates.org

Package "rpcbind"

Name: rpcbind

Description:

converts RPC program numbers into universal addresses

Latest version: 0.2.3-0.6ubuntu0.18.04.4
Release: bionic (18.04)
Level: security
Repository: main
Homepage: http://sourceforge.net/projects/rpcbind/

Links


Download "rpcbind"


Other versions of "rpcbind" in Bionic

Repository Area Version
base main 0.2.3-0.6
updates main 0.2.3-0.6ubuntu0.18.04.4

Changelog

Version: 0.2.3-0.6ubuntu0.18.04.4 2021-06-11 00:06:18 UTC

  rpcbind (0.2.3-0.6ubuntu0.18.04.4) bionic-security; urgency=medium

  * SECURITY REGRESSION: invalid pointer when freeing memory (LP: #1931507)
    - debian/patches/CVE-2017-8779-4.patch: stop freeing a static pointer
      in src/rpcb_svc_com.c.
    - debian/patches/CVE-2017-8779-5.patch: no need to allocate output
      buffer in src/rpcb_svc_com.c.

 -- Marc Deslauriers <email address hidden> Thu, 10 Jun 2021 17:40:45 -0400

Source diff to previous version
1931507 rpcbind failing on 0.2.3-0.6ubuntu0.18.04.2
CVE-2017-8779 rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size duri

Version: 0.2.3-0.6ubuntu0.18.04.3 2021-06-10 21:06:21 UTC

  rpcbind (0.2.3-0.6ubuntu0.18.04.3) bionic-security; urgency=medium

  * SECURITY REGRESSION: assertion failure (LP: #1931507)
    - debian/patches/CVE-2017-8779-3.patch: fixed typo in memory leak patch
      in src/pmap_svc.c.

 -- Marc Deslauriers <email address hidden> Thu, 10 Jun 2021 14:40:54 -0400

Source diff to previous version
1931507 rpcbind failing on 0.2.3-0.6ubuntu0.18.04.2
CVE-2017-8779 rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size duri

Version: 0.2.3-0.6ubuntu0.18.04.2 2021-06-09 12:06:23 UTC

  rpcbind (0.2.3-0.6ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS via memory consumption (LP: #1925280)
    - debian/patches/CVE-2017-8779.patch: pair all svc_getargs() calls with
      svc_freeargs() to avoid memory leak in src/pmap_svc.c,
      src/rpcb_svc.c, src/rpcb_svc_4.c, src/rpcb_svc_com.c.
    - debian/patches/CVE-2017-8779-2.patch: fix building without
      --enable-debug in src/pmap_svc.c.
    - The patch included in 0.2.3-0.6 did not correctly fix this issue.
    - CVE-2017-8779

 -- Marc Deslauriers <email address hidden> Tue, 08 Jun 2021 09:03:58 -0400

1925280 rpcbind still vulnerable with CVE-2017-8779
CVE-2017-8779 rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size duri



About   -   Send Feedback to @ubuntu_updates