CentOS Errata and Security Advisory CESA-2013:0884
These packages provide a transport-independent RPC (remote procedure call) implementation.
A flaw was found in the way libtirpc decoded RPC requests. A specially-crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950)
Red Hat would like to thank Michael Armstrong for reporting this issue.
Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect.
Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2013-May/019768.html
Affected packages: libtirpc libtirpc-devel
Upstream details at: https://rhn.redhat.com/errata/RHSA-2013-0884.html