Bugzilla – Bug 844230
VUL-0: CVE-2013-4342: xinetd: ignores user and group directives for tcpmux services
Last modified: 2018-10-19 18:13:08 UTC
via rh bugzilla CVE-2013-4342 If a tcpmux service is enabled, the user and group directives are ignored and the service always runs as root. Verified in the xinetd codebase and affects all active versions of RHEL and Fedora. Without the fix for CVE-2012-0862, previously exposed non-tcpmux services could run as root bypassing their respective user and group restrictions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342 https://bugzilla.redhat.com/show_bug.cgi?id=1006100
bugbot adjusting priority
Sorry for late reply. Did the situation changed meanwhile, so we can take everything from upstream?
No, the last commit to xinetd's branch is year old - I'd recommend to use the patch from a pull request ...
yes, lets do that. looks simple enough.
Update released for: xinetd, xinetd-debuginfo Products: SLE-DEBUGINFO 10-SP3-TERADATA (x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: xinetd Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: xinetd, xinetd-debuginfo, xinetd-debugsource Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Factory and SLE12 were fixed. openSUSE update submitted as well.
This is an autogenerated message for OBS integration: This bug (844230) was mentioned in https://build.opensuse.org/request/show/228309 13.1+12.3 / xinetd
okay, all stuff submitted
Update released for: xinetd, xinetd-debuginfo, xinetd-debugsource Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0466-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 762294,844230,855685 CVE References: CVE-2012-0862,CVE-2013-4342 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): xinetd-2.3.14-130.133.1 SUSE Linux Enterprise Server 11 SP3 (src): xinetd-2.3.14-130.133.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xinetd-2.3.14-130.133.1
This is an autogenerated message for OBS integration: This bug (844230) was mentioned in https://build.opensuse.org/request/show/228736 Factory / xinetd
openSUSE-SU-2014:0494-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 726737,762294,844230,855685 CVE References: CVE-2012-0862,CVE-2013-4342 Sources used: openSUSE 11.4 (src): xinetd-2.3.14-155.1
openSUSE-SU-2014:0517-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 762294,844230,855685 CVE References: CVE-2012-0862,CVE-2013-4342 Sources used: openSUSE 13.1 (src): xinetd-2.3.15-2.8.1 openSUSE 12.3 (src): xinetd-2.3.14-163.4.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-07-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57970
*** Bug 882917 has been marked as a duplicate of this bug. ***
PTF for SLES11-SP1 is available there: https://ptf.suse.com/56c18f00d531d259c8db862e82b9eee6/sles11-sp1/7086/x86_64/20140630 ------------------------------------------------------------------- Mon Jun 30 14:48:35 CEST 2014 - stokos@suse.de - xinetd-2.3.14-bnc844230.patch (bnc#882917, bnc#844230, CVE-2013-4342) ------------------------------------------------------------------- Please, give me feedback.
I am sorry it should be in the bug 882917.
Update released for: xinetd, xinetd-debuginfo, xinetd-debugsource Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Update released for: xinetd, xinetd-debuginfo Products: SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Update released for: xinetd, xinetd-debuginfo, xinetd-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64) SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
Update released for: xinetd, xinetd-debuginfo Products: SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
SUSE-SU-2014:0871-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 762294,844230 CVE References: CVE-2012-0862,CVE-2013-4342 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xinetd-2.3.14-130.133.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): xinetd-2.3.14-130.133.1 SUSE Linux Enterprise Server 10 SP4 LTSS (src): xinetd-2.3.14-14.12.1 SUSE Linux Enterprise Server 10 SP3 LTSS (src): xinetd-2.3.14-14.12.1
released, closed and fixed.