nfs-utils: Information disclosure — GLSA 201412-02

A vulnerability in nfs-utils might allow remote attackers to gain access to restricted information.

Affected Packages

net-fs/nfs-utils on all architectures
Affected versions < 1.2.8
Unaffected versions >= 1.2.8

Background

nfs-utils contains the client and daemon implementations for the NFS protocol.

Description

rpc.gssd in nfs-utils is vulnerable to DNS spoofing due to it depending on PTR resolution for GSSAPI authentication, allowing for data to be submitted to a malicious server without the knowledge of the user.

Impact

A remote attacker may be able to obtain sensitive information.

Workaround

There is no known workaround at this time.

Resolution

All nfs-utils users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-fs/nfs-utils-1.2.8"
 

References

Release Date
December 08, 2014

Latest Revision
December 08, 2014: 1

Severity
normal

Exploitable
remote

Bugzilla entries