Skip to navigation

Security Advisory Important: scsi-target-utils security update

Advisory: RHSA-2010:0362-1
Type: Security Advisory
Severity: Important
Issued on: 2010-04-20
Last updated on: 2010-04-20
Affected Products: RHEL Cluster-Storage (v. 5 server)
CVEs (cve.mitre.org): CVE-2010-0743

Details

An updated scsi-target-utils package that fixes one security issue is now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The scsi-target-utils package contains the daemon and tools to set up and
monitor SCSI targets. Currently, iSCSI software and iSER targets are
supported.

A format string flaw was found in scsi-target-utils' tgtd daemon. A
remote attacker could trigger this flaw by sending a carefully-crafted
Internet Storage Name Service (iSNS) request, causing the tgtd daemon to
crash. (CVE-2010-0743)

All scsi-target-utils users should upgrade to this updated package, which
contains a backported patch to correct this issue. All running
scsi-target-utils services must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Cluster-Storage (v. 5 server)

SRPMS:
scsi-target-utils-0.0-6.20091205snap.el5_5.2.src.rpm
File outdated by:  RHBA-2012:0279
    MD5: 4d40c739d6e46c5e3b36f9df291f73c8
SHA-256: ceb0915700dd690aafa7b4937b80468317b8d591064a74b4997d4dcf8a7eba39
 
IA-32:
scsi-target-utils-0.0-6.20091205snap.el5_5.2.i386.rpm
File outdated by:  RHBA-2012:0279
    MD5: 6986fd283aaad97580b321840e1f75ec
SHA-256: d2257d57cbc24839f7525bc3f49f372bcdd47bbe38aee3dddac369c835630a04
 
IA-64:
scsi-target-utils-0.0-6.20091205snap.el5_5.2.ia64.rpm
File outdated by:  RHBA-2012:0279
    MD5: 38657023a19c95dc94a5060a6d70c6a7
SHA-256: 310af6ec561515a8393b46668caf5995e11279818347c2137e6b4818d588bed6
 
PPC:
scsi-target-utils-0.0-6.20091205snap.el5_5.2.ppc.rpm
File outdated by:  RHBA-2012:0279
    MD5: dea84affccff2aac688df486a6c2faa4
SHA-256: 392a5d3a899c814e3cca1cd3df9d4f1029de0b71b2a123dec18535cae7042bc3
 
x86_64:
scsi-target-utils-0.0-6.20091205snap.el5_5.2.x86_64.rpm
File outdated by:  RHBA-2012:0279
    MD5: c0b9f4242414f1dc4b8af34d279c18f1
SHA-256: a9d84d88f189312f94de535ff76e8736c38baa8628f3680beb41872cbd71c94c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

576359 - CVE-2010-0743 scsi-target-utils: format string vulnerability


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/