Debian Bug report logs - #627042
security flaw in 2.9.21

version graph

Package: nbd-server; Maintainer for nbd-server is Wouter Verhelst <>; Source for nbd-server is src:nbd.

Reported by: Wouter Verhelst <>

Date: Tue, 17 May 2011 08:30:02 UTC

Severity: serious

Tags: security

Found in version nbd/1:2.9.21-1

Fixed in version nbd/1:2.9.22-1

Done: Wouter Verhelst <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,,
Bug#627042; Package nbd-server. (Tue, 17 May 2011 08:30:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Wouter Verhelst <>:
New Bug report received and forwarded. Copy sent to, (Tue, 17 May 2011 08:30:08 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Wouter Verhelst <>
To: Debian Bug Tracking System <>
Subject: security flaw in 2.9.21
Date: Tue, 17 May 2011 09:37:05 +0200
Package: nbd-server
Version: 1:2.9.21-1
Severity: normal
Tags: security

nbd 2.9.21 contains a security issue in the negotiation phase (remote
DoS). It should not migrate, ever.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'oldstable'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages nbd-server depends on:
ii  adduser                      3.112+nmu2  add and remove users and groups
ii  debconf [debconf-2.0]        1.5.39      Debian configuration management sy
ii  libc6                        2.13-4      Embedded GNU C Library: Shared lib
ii  libglib2.0-0                 2.28.6-1    The GLib library of C routines
ii  ucf                          3.0025+nmu2 Update Configuration File: preserv

nbd-server recommends no packages.

nbd-server suggests no packages.

-- debconf information excluded

Severity set to 'serious' from 'normal' Request was from Thijs Kinkhorst <> to (Wed, 18 May 2011 10:42:15 GMT) Full text and rfc822 format available.

Information forwarded to, Wouter Verhelst <>:
Bug#627042; Package nbd-server. (Wed, 18 May 2011 10:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <>:
Extra info received and forwarded to list. Copy sent to Wouter Verhelst <>. (Wed, 18 May 2011 10:45:06 GMT) Full text and rfc822 format available.

Message #12 received at (full text, mbox):

From: "Thijs Kinkhorst" <>
Cc: "Wouter Verhelst" <>,
Subject: Re: bug in nbd-server
Date: Wed, 18 May 2011 12:32:37 +0200
On Tue, May 17, 2011 09:38, Wouter Verhelst wrote:
> nbd-server 2.9.21 has a NULL-pointer dereference in its negotiation
> phase, which allows unauthenticated users to DoS the server by causing
> the negotiation to fail (e.g., by specifying a non-existing name for an
> export).

Please use CVE-2011-1925.


Reply sent to Wouter Verhelst <>:
You have taken responsibility. (Sun, 29 May 2011 08:51:30 GMT) Full text and rfc822 format available.

Notification sent to Wouter Verhelst <>:
Bug acknowledged by developer. (Sun, 29 May 2011 08:51:50 GMT) Full text and rfc822 format available.

Message #17 received at (full text, mbox):

From: Wouter Verhelst <>
Subject: Bug#627042: fixed in nbd 1:2.9.22-1
Date: Sun, 29 May 2011 08:48:39 +0000
Source: nbd
Source-Version: 1:2.9.22-1

We believe that the bug you reported is fixed in the latest version of
nbd, which is due to be installed in the Debian FTP archive:

  to main/n/nbd/nbd-client-udeb_2.9.22-1_amd64.udeb
  to main/n/nbd/nbd-client_2.9.22-1_amd64.deb
  to main/n/nbd/nbd-server_2.9.22-1_amd64.deb
  to main/n/nbd/nbd_2.9.22-1.dsc
  to main/n/nbd/nbd_2.9.22-1.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Wouter Verhelst <> (supplier of updated nbd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Sun, 29 May 2011 09:40:55 +0200
Source: nbd
Binary: nbd-server nbd-client nbd-client-udeb
Architecture: source amd64
Version: 1:2.9.22-1
Distribution: unstable
Urgency: low
Maintainer: Wouter Verhelst <>
Changed-By: Wouter Verhelst <>
 nbd-client - Network Block Device protocol - client
 nbd-client-udeb - Network Block Device protocol - client for Debian Installer (udeb)
 nbd-server - Network Block Device protocol - server
Closes: 557809 627042
 nbd (1:2.9.22-1) unstable; urgency=low
   * New upstream release
     - Fixes CVE-2011-1925; Closes: #627042.
     - Fixes a number of data corruption bugs in the handling of oversized
     - Has far better test suite coverage.
     - Adds -d option to nbd-server to run non-detached; Closes: #557809.
 a58ff147728866ec5fc0ad7779cb52c0fa94a38f 1542 nbd_2.9.22-1.dsc
 784da9b6bb3403f258924cffe88abdc50cde66b2 1041380 nbd_2.9.22-1.tar.gz
 6ae991774901ffeaeaf08cfc60f53a8dc0bacf32 65998 nbd-server_2.9.22-1_amd64.deb
 512dbd496f104a34d45b200b9e139b0e2964ffd8 54896 nbd-client_2.9.22-1_amd64.deb
 c77a89eba2199f0240351ba089a591cc8d817fd4 7764 nbd-client-udeb_2.9.22-1_amd64.udeb
 888f0c2c8fec2e547b0d9082c087c4b90da6a3e28d35a3ac1a072a333f096860 1542 nbd_2.9.22-1.dsc
 79b5b1ada333483f5a0a46006fefd07b68ef4c5e8d29eb46655fdae8344c946b 1041380 nbd_2.9.22-1.tar.gz
 b0bb122b8ceaed9e2650b517f0f1b15c581e0da9194a5383cd548424275384dc 65998 nbd-server_2.9.22-1_amd64.deb
 e90460e94134cc68e6b83868d53d90952cf1ea91f83e50fa2a73d0e06e8adc4d 54896 nbd-client_2.9.22-1_amd64.deb
 c050eab121a9b805562408e44384b0d995321af5e81f6198a74142f0f77a9042 7764 nbd-client-udeb_2.9.22-1_amd64.udeb
 7067bafc01a9748d759d97e37ead058f 1542 admin optional nbd_2.9.22-1.dsc
 5a2f0755860466f290af48336fdfa549 1041380 admin optional nbd_2.9.22-1.tar.gz
 1235a641b27265382c5c6f75a7dfbd99 65998 admin optional nbd-server_2.9.22-1_amd64.deb
 1c13b4cd8285e8c0cfaf723d766b889f 54896 admin optional nbd-client_2.9.22-1_amd64.deb
 12d6e448d776af0982bfb1f4bc14c22d 7764 debian-installer optional nbd-client-udeb_2.9.22-1_amd64.udeb
Package-Type: udeb

Version: GnuPG v1.4.11 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 24 Jul 2011 07:34:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 08:19:00 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.