Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD

From: Joseph E. Vornehm Jr. (jvornehmat_private)
Date: Wed Aug 19 1998 - 08:30:46 PDT

Next message: Volker Borchert: "Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD"

Previous message: Tore Andre Klock: "Re: Buffer Overflow?"
Maybe in reply to: RSI Advise: "RSI.0008.08-18-98.ALL.RPC_PCNFSD"
Next in thread: Volker Borchert: "Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > > Platforms:     Vulnerable:
> > >
> > >                AIX: 4.0, 4.1, 4.2, 4.3
> > >                HP-UX: 7.x, 8.x, 9.x, 10.x, 11.x
> > >                SunOS: 4.1.3, 4.1.4
> > >                Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6
> > >                Redhat Linux: 4.0, 4.1, 4.2, 5.0, 5.1
> > >                Slackware Linux: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5
> > >                OSF: 3.2
> >
> >
> > OK, TurboLinux 2.0 is NOT vulnerable, and neither is Redhat 5.1 despite
> > what it says up there.  Why?  Because neither TL nor RH 5.1 even include
> > rpc.pcnfsd (checked by querying every RPM package in both distributions,
> > grepping for 'pcnfs' -- no matches).
>
> Did you look carefully on sunsite?
>
> /pub/Linux/system/network/sunacm/Other/pcnfsd/pcnsfd-140.tar.gz
>
> Notice there is a typo there. "pcnsfd"

It looks to me like the PCNFSD package wasn't included in any of the
official Red Hat distributions (or, based on Scott's comments, official
TurboLinux distributions).  If that's the case, why would Red Hat be
listed as a "vulnerable platform"?  First of all, as a vendor, Red Hat
should only be held accountable for the packages they include in the
"official" distribution.  Second, it's not even "Red Hat Linux" or
"Slackware Linux" that's vulnerable -- it's the PCNFSD package.

I'm not trying to say this specifically in defense of Red Hat -- it's
more a general concern.  If the package isn't part of the Frobnitz Linux
distribution, then saying that "the Frobnitz Linux distribution is
vulnerable" is incorrect and misleading.  It would be much more accurate
(and much less work for testing labs like RSI) to say something like,
"The Linux PCNFSD package is vulnerable (tested under Frobnitz Linux
3.2.5)."  (It's also extremely advisable to give extra information
identifying the package(s), because (especially with Linux) there are
often several packages that try to meet the same need.  In this case,
there are the linux_pcnfsd2.tgz package and the pcnsfd-140.tar.gz.)

On the other hand, if a package (such as bind) that _is_ part of the
Frobnitz Linux distribution is found vulnerable, then I want to hear
about it in the advisory.

One more point... If Slackware includes the PCNFSD package as part of
the official distribution, that might explain why Mr. Volkerding was so
helpful; Red Hat doesn't include it as part of their official
distribution, and that might explain why they were so disinterested.
(Does anyone from Slackware and/or Red Hat want to comment?)

Joe Vornehm
jvornehmat_private

Next message: Volker Borchert: "Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD"
Previous message: Tore Andre Klock: "Re: Buffer Overflow?"
Maybe in reply to: RSI Advise: "RSI.0008.08-18-98.ALL.RPC_PCNFSD"
Next in thread: Volker Borchert: "Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:06 PDT