Advisories » MGASA-2017-0183

Updated rpcbind/libtirpc packages fix security vulnerability

Publication date: 26 Jun 2017
Modification date: 26 Jun 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-8779

Description

It was discovered that rpcbind and libtirpc contain a vulnerability that
allows an attacker to allocate any amount of bytes (up to 4 gigabytes per
attack) on a remote rpcbind host, and the memory is never freed unless the
process crashes or the administrator halts or restarts the rpcbind
service.  This can slow down the system’s operations significantly or
prevent other services from spawning processes entirely (CVE-2017-8779).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=20788
• http://openwall.com/lists/oss-security/2017/05/04/3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779

SRPMS

5/core

• rpcbind-0.2.2-1.2.mga5
• libtirpc-0.2.5-3.2.mga5