Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-342-1 openafs

Debian Security Advisory

DLA-342-1 openafs -- LTS security update

Date Reported:

18 Nov 2015

Affected Packages:

openafs

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-3282, CVE-2015-3283, CVE-2015-3285, CVE-2015-6587, CVE-2015-7762, CVE-2015-7763.

More information:

Several vulnerabilities have been found and solved in the distributed file system OpenAFS:

• CVE-2015-3282

  vos leaked stack data clear on the wire when updating vldb entries.

• CVE-2015-3283

  OpenAFS allowed remote attackers to spoof bos commands via unspecified vectors.

• CVE-2015-3285

  pioctl wrongly used the pointer related to the RPC, allowing local users to cause a denial of service (memory corruption and kernel panic) via a crafted OSD FS command.

• CVE-2015-6587

  vlserver allowed remote authenticated users to cause a denial of service (out-of-bounds read and crash) via a crafted regular expression in a VL_ListAttributesN2 RPC.

• CVE-2015-7762 and CVE-2015-7763 ("Tattletale")

  John Stumpo found that Rx ACK packets leaked plaintext of packets previously processed.

For Debian 6 Squeeze, these problems have been fixed in openafs version 1.4.12.1+dfsg-4+squeeze4.

We recommend that you upgrade your OpenAFS packages.