Debian Bug report logs - #627042
security flaw in 2.9.21

version graph

Package: nbd-server; Maintainer for nbd-server is Wouter Verhelst <wouter@debian.org>; Source for nbd-server is src:nbd.

Reported by: Wouter Verhelst <wouter@debian.org>

Date: Tue, 17 May 2011 08:30:02 UTC

Severity: serious

Tags: security

Found in version nbd/1:2.9.21-1

Fixed in version nbd/1:2.9.22-1

Done: Wouter Verhelst <wouter@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#627042; Package nbd-server. (Tue, 17 May 2011 08:30:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Wouter Verhelst <wouter@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org. (Tue, 17 May 2011 08:30:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Wouter Verhelst <wouter@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: security flaw in 2.9.21
Date: Tue, 17 May 2011 09:37:05 +0200
Package: nbd-server
Version: 1:2.9.21-1
Severity: normal
Tags: security

nbd 2.9.21 contains a security issue in the negotiation phase (remote
DoS). It should not migrate, ever.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'oldstable'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages nbd-server depends on:
ii  adduser                      3.112+nmu2  add and remove users and groups
ii  debconf [debconf-2.0]        1.5.39      Debian configuration management sy
ii  libc6                        2.13-4      Embedded GNU C Library: Shared lib
ii  libglib2.0-0                 2.28.6-1    The GLib library of C routines
ii  ucf                          3.0025+nmu2 Update Configuration File: preserv

nbd-server recommends no packages.

nbd-server suggests no packages.

-- debconf information excluded




Severity set to 'serious' from 'normal' Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Wed, 18 May 2011 10:42:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Wouter Verhelst <wouter@debian.org>:
Bug#627042; Package nbd-server. (Wed, 18 May 2011 10:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Wouter Verhelst <wouter@debian.org>. (Wed, 18 May 2011 10:45:06 GMT) Full text and rfc822 format available.

Message #12 received at 627042@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 627042@bugs.debian.org
Cc: "Wouter Verhelst" <w@uter.be>, team@security.debian.org
Subject: Re: bug in nbd-server
Date: Wed, 18 May 2011 12:32:37 +0200
On Tue, May 17, 2011 09:38, Wouter Verhelst wrote:
> nbd-server 2.9.21 has a NULL-pointer dereference in its negotiation
> phase, which allows unauthenticated users to DoS the server by causing
> the negotiation to fail (e.g., by specifying a non-existing name for an
> export).

Please use CVE-2011-1925.


Cheers,
Thijs




Reply sent to Wouter Verhelst <wouter@debian.org>:
You have taken responsibility. (Sun, 29 May 2011 08:51:30 GMT) Full text and rfc822 format available.

Notification sent to Wouter Verhelst <wouter@debian.org>:
Bug acknowledged by developer. (Sun, 29 May 2011 08:51:50 GMT) Full text and rfc822 format available.

Message #17 received at 627042-close@bugs.debian.org (full text, mbox):

From: Wouter Verhelst <wouter@debian.org>
To: 627042-close@bugs.debian.org
Subject: Bug#627042: fixed in nbd 1:2.9.22-1
Date: Sun, 29 May 2011 08:48:39 +0000
Source: nbd
Source-Version: 1:2.9.22-1

We believe that the bug you reported is fixed in the latest version of
nbd, which is due to be installed in the Debian FTP archive:

nbd-client-udeb_2.9.22-1_amd64.udeb
  to main/n/nbd/nbd-client-udeb_2.9.22-1_amd64.udeb
nbd-client_2.9.22-1_amd64.deb
  to main/n/nbd/nbd-client_2.9.22-1_amd64.deb
nbd-server_2.9.22-1_amd64.deb
  to main/n/nbd/nbd-server_2.9.22-1_amd64.deb
nbd_2.9.22-1.dsc
  to main/n/nbd/nbd_2.9.22-1.dsc
nbd_2.9.22-1.tar.gz
  to main/n/nbd/nbd_2.9.22-1.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 627042@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Wouter Verhelst <wouter@debian.org> (supplier of updated nbd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 29 May 2011 09:40:55 +0200
Source: nbd
Binary: nbd-server nbd-client nbd-client-udeb
Architecture: source amd64
Version: 1:2.9.22-1
Distribution: unstable
Urgency: low
Maintainer: Wouter Verhelst <wouter@debian.org>
Changed-By: Wouter Verhelst <wouter@debian.org>
Description: 
 nbd-client - Network Block Device protocol - client
 nbd-client-udeb - Network Block Device protocol - client for Debian Installer (udeb)
 nbd-server - Network Block Device protocol - server
Closes: 557809 627042
Changes: 
 nbd (1:2.9.22-1) unstable; urgency=low
 .
   * New upstream release
     - Fixes CVE-2011-1925; Closes: #627042.
     - Fixes a number of data corruption bugs in the handling of oversized
       requests.
     - Has far better test suite coverage.
     - Adds -d option to nbd-server to run non-detached; Closes: #557809.
Checksums-Sha1: 
 a58ff147728866ec5fc0ad7779cb52c0fa94a38f 1542 nbd_2.9.22-1.dsc
 784da9b6bb3403f258924cffe88abdc50cde66b2 1041380 nbd_2.9.22-1.tar.gz
 6ae991774901ffeaeaf08cfc60f53a8dc0bacf32 65998 nbd-server_2.9.22-1_amd64.deb
 512dbd496f104a34d45b200b9e139b0e2964ffd8 54896 nbd-client_2.9.22-1_amd64.deb
 c77a89eba2199f0240351ba089a591cc8d817fd4 7764 nbd-client-udeb_2.9.22-1_amd64.udeb
Checksums-Sha256: 
 888f0c2c8fec2e547b0d9082c087c4b90da6a3e28d35a3ac1a072a333f096860 1542 nbd_2.9.22-1.dsc
 79b5b1ada333483f5a0a46006fefd07b68ef4c5e8d29eb46655fdae8344c946b 1041380 nbd_2.9.22-1.tar.gz
 b0bb122b8ceaed9e2650b517f0f1b15c581e0da9194a5383cd548424275384dc 65998 nbd-server_2.9.22-1_amd64.deb
 e90460e94134cc68e6b83868d53d90952cf1ea91f83e50fa2a73d0e06e8adc4d 54896 nbd-client_2.9.22-1_amd64.deb
 c050eab121a9b805562408e44384b0d995321af5e81f6198a74142f0f77a9042 7764 nbd-client-udeb_2.9.22-1_amd64.udeb
Files: 
 7067bafc01a9748d759d97e37ead058f 1542 admin optional nbd_2.9.22-1.dsc
 5a2f0755860466f290af48336fdfa549 1041380 admin optional nbd_2.9.22-1.tar.gz
 1235a641b27265382c5c6f75a7dfbd99 65998 admin optional nbd-server_2.9.22-1_amd64.deb
 1c13b4cd8285e8c0cfaf723d766b889f 54896 admin optional nbd-client_2.9.22-1_amd64.deb
 12d6e448d776af0982bfb1f4bc14c22d 7764 debian-installer optional nbd-client-udeb_2.9.22-1_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJN4gBdAAoJEMKUD5Ub3wqdzoUQALcsoWCHrRBOqsJf3u4UvCXq
w9oHiZ1bxZdAwHC1begz8KONK3sbcsPdqQkdh3JRa3atPOP4xnBTT5t98FPCMzi+
NA+FsdKUYjSDt8aErP6kAjWEpUo68TxRN9sBL6EdszD8llSvkpmnsV5W4fQ76G41
uxxmypeGnlwp7QjXX/40mdJZ666NUEyyAzem+dBLp6vXkeQc1l4lLZlbGRHW5s2V
pc4AojMqbp2uYbdiS/P1uE9MF8g9bnTxOpiW/m+UwZ5tRyAvb4EP+BXWrD6r9FBA
rzAFegyykSO//P16dxnlwk1JoHYv4oFa8GAB5XOe0QTpWts3m+4Yw1SbpPuZ6t6g
Np/0hBK5EwgiMzo+HeUnbwufkK+40sX+4VThdsBC/VyiblXzi16CfspfHxpRDkDR
9jqudI85WYUnDx5fOm9JeikST4Ho7bN87xJwEsRPpsr5IhU5Qex/c0WLQWV6gWcJ
4thXWEaeJdEpJ2W0hgkUMkJFFxCgu2GeoeVpCooqBvomK2JJGKqdFKfYY8mkSoic
D8iMcZhwv4XKv140Y8zCjzt/UljbcaAoarSlAU9EZ3FUOfGOLLWTaWMa6ZoxiOjT
5hYTUn18MCaovGukTtYflji0VCFT3mPVrMr0m/4YrZzUQTy2hhnlA+LvJb7QyehG
4mnM84OQuj5x4TiUz6WA
=CN96
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jul 2011 07:34:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:19:00 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.