Security Advisory Important: rpcbind security update

Advisory: RHSA-2017:1267-2
Type: Security Advisory
Severity: Important
Issued on: 2017-05-23
Last updated on: 2017-06-16
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2017-8779

Details

An update for rpcbind is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

[Updated 16 June 2017]
The packages distributed with this errata have a bug that can cause the rpcbind
utility to terminate unexpectedly at start. RHBA-2017:1435 was released on 13
June 2017 to address this issue.

The rpcbind utility is a server that converts Remote Procedure Call (RPC)
program numbers into universal addresses. It must be running on the host to be
able to make RPC calls on a server on that machine.

Security Fix(es):

* It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory
leak can occur when parsing specially crafted XDR messages. An attacker sending
thousands of messages to rpcbind could cause its memory usage to grow without
bound, eventually causing it to be terminated by the OOM killer. (CVE-2017-8779)


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
rpcbind-0.2.0-13.el6_9.src.rpm
File outdated by:  RHBA-2017:1435
    MD5: 89f0bd2753be587dc6ee609c817431a4
SHA-256: 41e3740d5a2b64e12eb618460a514e9e103494f490fde86e34a20ff4137ff024
 
IA-32:
rpcbind-0.2.0-13.el6_9.i686.rpm
File outdated by:  RHBA-2017:1435
    MD5: de8e1d2fe71d09584db2b47ab7da8e1d
SHA-256: 59765585f0e0e8688805d15310dbeda9d80916c6cd0fe6b064f6d1c5d2e2bb61
rpcbind-debuginfo-0.2.0-13.el6_9.i686.rpm
File outdated by:  RHBA-2017:1435
    MD5: ac9d6ac31e3d9fbcfee022739ceab4dd
SHA-256: 88f16b6814945587db8091e21c0993bb4409a0fc49074cb4eb8fda89a0a683f8
 
x86_64:
rpcbind-0.2.0-13.el6_9.x86_64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 60fef33054c8748bdb6dcb9e119eec05
SHA-256: 44c7e01c33b964f57984f07d508979dd5347df996e3cfa32daa2ce8fc291ae67
rpcbind-debuginfo-0.2.0-13.el6_9.x86_64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 4a763901458736102e8f9f0582857d07
SHA-256: 373499737f9fa6fbafac46afec1bb91fc9122bf4e2c9d206c01b65d9905d3c29
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
rpcbind-0.2.0-13.el6_9.src.rpm
File outdated by:  RHBA-2017:1435
    MD5: 89f0bd2753be587dc6ee609c817431a4
SHA-256: 41e3740d5a2b64e12eb618460a514e9e103494f490fde86e34a20ff4137ff024
 
x86_64:
rpcbind-0.2.0-13.el6_9.x86_64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 60fef33054c8748bdb6dcb9e119eec05
SHA-256: 44c7e01c33b964f57984f07d508979dd5347df996e3cfa32daa2ce8fc291ae67
rpcbind-debuginfo-0.2.0-13.el6_9.x86_64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 4a763901458736102e8f9f0582857d07
SHA-256: 373499737f9fa6fbafac46afec1bb91fc9122bf4e2c9d206c01b65d9905d3c29
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
rpcbind-0.2.0-13.el6_9.src.rpm
File outdated by:  RHBA-2017:1435
    MD5: 89f0bd2753be587dc6ee609c817431a4
SHA-256: 41e3740d5a2b64e12eb618460a514e9e103494f490fde86e34a20ff4137ff024
 
IA-32:
rpcbind-0.2.0-13.el6_9.i686.rpm
File outdated by:  RHBA-2017:1435
    MD5: de8e1d2fe71d09584db2b47ab7da8e1d
SHA-256: 59765585f0e0e8688805d15310dbeda9d80916c6cd0fe6b064f6d1c5d2e2bb61
rpcbind-debuginfo-0.2.0-13.el6_9.i686.rpm
File outdated by:  RHBA-2017:1435
    MD5: ac9d6ac31e3d9fbcfee022739ceab4dd
SHA-256: 88f16b6814945587db8091e21c0993bb4409a0fc49074cb4eb8fda89a0a683f8
 
PPC:
rpcbind-0.2.0-13.el6_9.ppc64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 89ab68c2dbaf57eac9d9ccd2b03cd288
SHA-256: 876f265335ff18f239557974d7f50ab68c3d740d333afa528bf01e19090fd257
rpcbind-debuginfo-0.2.0-13.el6_9.ppc64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 4671192c3ff84d9fcf0870cc7f3ead9b
SHA-256: c249eac5a87ce2320cdbc692a8efc23b54c8d0aa7a5f97dff98ae6f36bf66423
 
s390x:
rpcbind-0.2.0-13.el6_9.s390x.rpm
File outdated by:  RHBA-2017:1435
    MD5: 29db4e347f1d57fb4341fe877af52fb0
SHA-256: d802ddaea1184af48c27abc8b79c12c3024f1b210668e6dc9c0b8016fd05a929
rpcbind-debuginfo-0.2.0-13.el6_9.s390x.rpm
File outdated by:  RHBA-2017:1435
    MD5: 37cb8d5e2988fef5e6e7169f7f6ecb35
SHA-256: a14f18ce8ec349388f757559968013af7cbe702356d3f7a4754167c38b3cead3
 
x86_64:
rpcbind-0.2.0-13.el6_9.x86_64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 60fef33054c8748bdb6dcb9e119eec05
SHA-256: 44c7e01c33b964f57984f07d508979dd5347df996e3cfa32daa2ce8fc291ae67
rpcbind-debuginfo-0.2.0-13.el6_9.x86_64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 4a763901458736102e8f9f0582857d07
SHA-256: 373499737f9fa6fbafac46afec1bb91fc9122bf4e2c9d206c01b65d9905d3c29
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
rpcbind-0.2.0-13.el6_9.src.rpm
File outdated by:  RHBA-2017:1435
    MD5: 89f0bd2753be587dc6ee609c817431a4
SHA-256: 41e3740d5a2b64e12eb618460a514e9e103494f490fde86e34a20ff4137ff024
 
IA-32:
rpcbind-0.2.0-13.el6_9.i686.rpm
File outdated by:  RHBA-2017:1435
    MD5: de8e1d2fe71d09584db2b47ab7da8e1d
SHA-256: 59765585f0e0e8688805d15310dbeda9d80916c6cd0fe6b064f6d1c5d2e2bb61
rpcbind-debuginfo-0.2.0-13.el6_9.i686.rpm
File outdated by:  RHBA-2017:1435
    MD5: ac9d6ac31e3d9fbcfee022739ceab4dd
SHA-256: 88f16b6814945587db8091e21c0993bb4409a0fc49074cb4eb8fda89a0a683f8
 
x86_64:
rpcbind-0.2.0-13.el6_9.x86_64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 60fef33054c8748bdb6dcb9e119eec05
SHA-256: 44c7e01c33b964f57984f07d508979dd5347df996e3cfa32daa2ce8fc291ae67
rpcbind-debuginfo-0.2.0-13.el6_9.x86_64.rpm
File outdated by:  RHBA-2017:1435
    MD5: 4a763901458736102e8f9f0582857d07
SHA-256: 373499737f9fa6fbafac46afec1bb91fc9122bf4e2c9d206c01b65d9905d3c29
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1448124 - CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/