Rapid7 Vulnerability & Exploit Database

RHSA-2003:173: Updated ypserv packages fix a denial of service vulnerability

Back to Search

RHSA-2003:173: Updated ypserv packages fix a denial of service vulnerability

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
07/24/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated ypserv packages fixing a denial of service vulnerability are now available.

The ypserv package contains the Network Information Service (NIS) server. A vulnerability has been discovered in the ypserv NIS server prior to version 2.7. If a malicious client queries ypserv via TCP and subsequently ignores the server's response, ypserv will block attempting to send the reply. This results in ypserv failing to respond to other client requests. Versions 2.7 and above of ypserv have been altered to fork a child for each client request, thus preventing any one request from causing the server to block. Red Hat recommends that users of NIS upgrade to these packages, which contain version 2.8.0 of ypserv and are therefore not vulnerable to this issue.

Solution(s)

  • redhat-upgrade-ypserv

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;