[ubuntu-hardened] rpcbind CVE-2017-8779

Seth Arnold seth.arnold at canonical.com
Fri Jul 28 20:20:35 UTC 2017

On Fri, Jul 28, 2017 at 10:31:24AM +0100, Michael Rutter wrote:
> Is there any progress on fixing CVE-2017-8779 in rpcbind (particularly in 
> 16.04LTS)? I note that 
> https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8779.html 
> states that its priority is low, but 
> https://security-tracker.debian.org/tracker/CVE-2017-8779 states that its 
> NVD severity is "high".

Hello Michael, we haven't started on this yet, and probably won't get to
it soon. Research from our friends at SUSE showed limited impact:

laddc> Is this rpcbomb intentionally innocuous? At least on my tests, it does
laddc> allocate virtual memory but the system memory is kept free. After 571GB
laddc> of virtual memory for rpcbind, my system (xen dom0) with 1GB of RAM was
laddc> still fine.


This isn't ideal but we felt there were more pressing issues.

If you have more compelling reasons to reprioritize this update please do
let us know.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170728/d6e5984f/attachment.pgp>

More information about the ubuntu-hardened mailing list