Debian Security Advisory

DLA-342-1 openafs -- LTS security update

Date Reported:
18 Nov 2015
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2015-3282, CVE-2015-3283, CVE-2015-3285, CVE-2015-6587, CVE-2015-7762, CVE-2015-7763.
More information:

Several vulnerabilities have been found and solved in the distributed file system OpenAFS:

  • CVE-2015-3282

    vos leaked stack data clear on the wire when updating vldb entries.

  • CVE-2015-3283

    OpenAFS allowed remote attackers to spoof bos commands via unspecified vectors.

  • CVE-2015-3285

    pioctl wrongly used the pointer related to the RPC, allowing local users to cause a denial of service (memory corruption and kernel panic) via a crafted OSD FS command.

  • CVE-2015-6587

    vlserver allowed remote authenticated users to cause a denial of service (out-of-bounds read and crash) via a crafted regular expression in a VL_ListAttributesN2 RPC.

  • CVE-2015-7762 and CVE-2015-7763 ("Tattletale")

    John Stumpo found that Rx ACK packets leaked plaintext of packets previously processed.

For Debian 6 Squeeze, these problems have been fixed in openafs version

We recommend that you upgrade your OpenAFS packages.