[ubuntu-hardened] rpcbind CVE-2017-8779
seth.arnold at canonical.com
Fri Jul 28 20:20:35 UTC 2017
On Fri, Jul 28, 2017 at 10:31:24AM +0100, Michael Rutter wrote:
> Is there any progress on fixing CVE-2017-8779 in rpcbind (particularly in
> 16.04LTS)? I note that
> states that its priority is low, but
> https://security-tracker.debian.org/tracker/CVE-2017-8779 states that its
> NVD severity is "high".
Hello Michael, we haven't started on this yet, and probably won't get to
it soon. Research from our friends at SUSE showed limited impact:
laddc> Is this rpcbomb intentionally innocuous? At least on my tests, it does
laddc> allocate virtual memory but the system memory is kept free. After 571GB
laddc> of virtual memory for rpcbind, my system (xen dom0) with 1GB of RAM was
laddc> still fine.
This isn't ideal but we felt there were more pressing issues.
If you have more compelling reasons to reprioritize this update please do
let us know.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: not available
More information about the ubuntu-hardened