[ubuntu-hardened] rpcbind CVE-2017-8779
Seth Arnold
seth.arnold at canonical.com
Fri Jul 28 20:20:35 UTC 2017
On Fri, Jul 28, 2017 at 10:31:24AM +0100, Michael Rutter wrote:
> Is there any progress on fixing CVE-2017-8779 in rpcbind (particularly in
> 16.04LTS)? I note that
> https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8779.html
> states that its priority is low, but
> https://security-tracker.debian.org/tracker/CVE-2017-8779 states that its
> NVD severity is "high".
Hello Michael, we haven't started on this yet, and probably won't get to
it soon. Research from our friends at SUSE showed limited impact:
laddc> Is this rpcbomb intentionally innocuous? At least on my tests, it does
laddc> allocate virtual memory but the system memory is kept free. After 571GB
laddc> of virtual memory for rpcbind, my system (xen dom0) with 1GB of RAM was
laddc> still fine.
https://bugzilla.suse.com/show_bug.cgi?id=1037559#c8
This isn't ideal but we felt there were more pressing issues.
If you have more compelling reasons to reprioritize this update please do
let us know.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170728/d6e5984f/attachment.pgp>
More information about the ubuntu-hardened
mailing list