Bug 762294 (CVE-2012-0862) - CVE-2012-0862: xinetd: enables all services when tcp multiplexing is used
Summary: CVE-2012-0862: xinetd: enables all services when tcp multiplexing is used
Status: RESOLVED FIXED
Alias: CVE-2012-0862
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Michal Vyskocil
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:56423:moderate maint:re...
Keywords:
Depends on: 855685
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-15 11:26 UTC by Matthias Weckbecker
Modified: 2018-10-19 18:13 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
-- xinetd-2.3.14-tcpmux-nonmux-security.patch (1.52 KB, patch)
2012-05-15 11:29 UTC, Matthias Weckbecker 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-05-15 11:26:42 UTC 
When xinetd is configured (non-default) to do multiplexing of tcp services
it allows *all* services to be accessed instead of just the configured ones.

Issue found by Thomas Swan.
Comment 1 Matthias Weckbecker 2012-05-15 11:29:50 UTC 
Created attachment 490854 [details]
-- xinetd-2.3.14-tcpmux-nonmux-security.patch
Comment 2 Matthias Weckbecker 2012-05-15 11:30:15 UTC 
Proposed patch (also from Thomas Swan) available at #c1.
Comment 12 Marcus Meissner 2013-04-05 15:06:14 UTC 
Untag, we will not fix this bug for existing products.
Comment 13 Michal Vyskocil 2013-04-19 12:38:20 UTC 
fixed by 2.3.15 to be submitted into Factory

 * Merge patch from Thomas Swan regarding CVE-2012-0862
Comment 16 Swamp Workflow Management 2014-03-31 10:04:33 UTC 
Update released for: xinetd, xinetd-debuginfo
Products:
SLE-DEBUGINFO 10-SP3-TERADATA (x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 17 Swamp Workflow Management 2014-03-31 10:05:00 UTC 
Update released for: xinetd
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 18 Swamp Workflow Management 2014-03-31 10:05:38 UTC 
Update released for: xinetd, xinetd-debuginfo, xinetd-debugsource
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 19 Bernhard Wiedemann 2014-03-31 12:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (762294) was mentioned in
https://build.opensuse.org/request/show/228309 13.1+12.3 / xinetd
Comment 20 Swamp Workflow Management 2014-03-31 15:47:55 UTC 
Update released for: xinetd, xinetd-debuginfo, xinetd-debugsource
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 21 Swamp Workflow Management 2014-03-31 19:04:22 UTC 
SUSE-SU-2014:0466-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 762294,844230,855685
CVE References: CVE-2012-0862,CVE-2013-4342
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    xinetd-2.3.14-130.133.1
SUSE Linux Enterprise Server 11 SP3 (src):    xinetd-2.3.14-130.133.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xinetd-2.3.14-130.133.1
Comment 22 Swamp Workflow Management 2014-04-08 19:05:19 UTC 
openSUSE-SU-2014:0494-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 726737,762294,844230,855685
CVE References: CVE-2012-0862,CVE-2013-4342
Sources used:
openSUSE 11.4 (src):    xinetd-2.3.14-155.1
Comment 23 Swamp Workflow Management 2014-04-11 14:05:21 UTC 
openSUSE-SU-2014:0517-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 762294,844230,855685
CVE References: CVE-2012-0862,CVE-2013-4342
Sources used:
openSUSE 13.1 (src):    xinetd-2.3.15-2.8.1
openSUSE 12.3 (src):    xinetd-2.3.14-163.4.1
Comment 24 Swamp Workflow Management 2014-07-04 19:48:15 UTC 
Update released for: xinetd, xinetd-debuginfo, xinetd-debugsource
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 25 Swamp Workflow Management 2014-07-04 19:49:31 UTC 
Update released for: xinetd, xinetd-debuginfo
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 26 Swamp Workflow Management 2014-07-04 19:55:40 UTC 
Update released for: xinetd, xinetd-debuginfo, xinetd-debugsource
Products:
SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
Comment 27 Swamp Workflow Management 2014-07-04 20:46:31 UTC 
Update released for: xinetd, xinetd-debuginfo
Products:
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
Comment 28 Swamp Workflow Management 2014-07-05 00:04:29 UTC 
SUSE-SU-2014:0871-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 762294,844230
CVE References: CVE-2012-0862,CVE-2013-4342
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xinetd-2.3.14-130.133.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xinetd-2.3.14-130.133.1
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xinetd-2.3.14-14.12.1
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    xinetd-2.3.14-14.12.1