Debians sikkerhedsbulletin

DSA-142-1 openafs -- heltalsoverløb

Rapporteret den:
5. aug 2002
Berørte pakker:
openafs
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 5356.
I Mitres CVE-ordbog: CVE-2002-0391.
CERTs noter om sårbarheder, bulletiner og hændelser: VU#192995.
Yderligere oplysninger:

En heltalsoverløbsfejl er opdaget i RPC-biblioteket som anvendes af database-serveren OpenAFS, der er afledt fra SunRPC-biblioteket. Fejlen kunne udnyttes til at få visse af OpenAFS' servere til at gå ned (volserver, vlserver, ptserver, buserver) eller til at opnå uautoriseret root-adgang til en værtsmaskine som kørte en af disse processer. Ingen er endnu ingen kendte udnyttelser.

Dette problem er rettet i version 1.2.3final2-6 i den aktuelle stabile distribution (woody) og i version 1.2.6-1 i den ustabile distribution (sid). Debian 2.2 (potato) er ikke påvirket da den ikke indeholder OpenAFS-pakker.

OpenAFS er kun tilgængelig til arkitekturerne alpha, i386, powerpc, s390 og sparc, hvorfor vi kun stiller rettede pakker til rådighed til disse.

Vi anbefaler at du opgraderer dine openafs-pakker.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/o/openafs/openafs_1.2.3final2-6.dsc
http://security.debian.org/pool/updates/main/o/openafs/openafs_1.2.3final2-6.diff.gz
http://security.debian.org/pool/updates/main/o/openafs/openafs_1.2.3final2.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/o/openafs/openafs-modules-source_1.2.3final2-6_all.deb
Alpha:
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.2.3final2-6_alpha.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.2.3final2-6_alpha.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.2.3final2-6_alpha.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.2.3final2-6_alpha.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.2.3final2-6_alpha.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.2.3final2-6_i386.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.2.3final2-6_i386.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.2.3final2-6_i386.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.2.3final2-6_i386.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.2.3final2-6_i386.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.2.3final2-6_powerpc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.2.3final2-6_powerpc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.2.3final2-6_powerpc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.2.3final2-6_powerpc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.2.3final2-6_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.2.3final2-6_s390.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.2.3final2-6_s390.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.2.3final2-6_s390.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.2.3final2-6_s390.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.2.3final2-6_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openafs/libopenafs-dev_1.2.3final2-6_sparc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-client_1.2.3final2-6_sparc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-dbserver_1.2.3final2-6_sparc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-fileserver_1.2.3final2-6_sparc.deb
http://security.debian.org/pool/updates/main/o/openafs/openafs-kpasswd_1.2.3final2-6_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.