Bugtraq mailing list archives
Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD
From: jvornehm () ece neu edu (Joseph E. Vornehm Jr.)
Date: Wed, 19 Aug 1998 11:30:46 -0400
Platforms: Vulnerable: AIX: 4.0, 4.1, 4.2, 4.3 HP-UX: 7.x, 8.x, 9.x, 10.x, 11.x SunOS: 4.1.3, 4.1.4 Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6 Redhat Linux: 4.0, 4.1, 4.2, 5.0, 5.1 Slackware Linux: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5 OSF: 3.2OK, TurboLinux 2.0 is NOT vulnerable, and neither is Redhat 5.1 despite what it says up there. Why? Because neither TL nor RH 5.1 even include rpc.pcnfsd (checked by querying every RPM package in both distributions, grepping for 'pcnfs' -- no matches).Did you look carefully on sunsite? /pub/Linux/system/network/sunacm/Other/pcnfsd/pcnsfd-140.tar.gz Notice there is a typo there. "pcnsfd"
It looks to me like the PCNFSD package wasn't included in any of the official Red Hat distributions (or, based on Scott's comments, official TurboLinux distributions). If that's the case, why would Red Hat be listed as a "vulnerable platform"? First of all, as a vendor, Red Hat should only be held accountable for the packages they include in the "official" distribution. Second, it's not even "Red Hat Linux" or "Slackware Linux" that's vulnerable -- it's the PCNFSD package. I'm not trying to say this specifically in defense of Red Hat -- it's more a general concern. If the package isn't part of the Frobnitz Linux distribution, then saying that "the Frobnitz Linux distribution is vulnerable" is incorrect and misleading. It would be much more accurate (and much less work for testing labs like RSI) to say something like, "The Linux PCNFSD package is vulnerable (tested under Frobnitz Linux 3.2.5)." (It's also extremely advisable to give extra information identifying the package(s), because (especially with Linux) there are often several packages that try to meet the same need. In this case, there are the linux_pcnfsd2.tgz package and the pcnsfd-140.tar.gz.) On the other hand, if a package (such as bind) that _is_ part of the Frobnitz Linux distribution is found vulnerable, then I want to hear about it in the advisory. One more point... If Slackware includes the PCNFSD package as part of the official distribution, that might explain why Mr. Volkerding was so helpful; Red Hat doesn't include it as part of their official distribution, and that might explain why they were so disinterested. (Does anyone from Slackware and/or Red Hat want to comment?) Joe Vornehm jvornehm () ece neu edu
Current thread:
- RSI.0008.08-18-98.ALL.RPC_PCNFSD RSI Advise (Aug 18)
- Microsoft Security Bulletin (MS98-011) (fwd) brian j. peterson (Aug 18)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Scott Stone (Aug 19)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Casper Dik (Aug 19)
- <Possible follow-ups>
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Brian Martin (Aug 19)
- Serious bug in Cisco PIX Robert Ståhlbrand (Aug 19)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Alan Cox (Aug 19)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Joseph E. Vornehm Jr. (Aug 19)
- Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Aug 19)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Volker Borchert (Aug 19)