[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 342-1] openafs security update



Package        : openafs
Version        : 1.4.12.1+dfsg-4+squeeze4
CVE ID         : CVE-2015-3282 CVE-2015-3283 CVE-2015-3285 CVE-2015-6587
                 CVE-2015-7762 CVE-2015-7763

Several vulnerabilities have been found and solved in the distributed file
system OpenAFS:

CVE-2015-3282

    vos leaked stack data clear on the wire when updating vldb entries.

CVE-2015-3283

    OpenAFS allowed remote attackers to spoof bos commands via unspecified
    vectors.

CVE-2015-3285

    pioctl wrongly used the pointer related to the RPC, allowing local users to
    cause a denial of service (memory corruption and kernel panic) via a
    crafted OSD FS command.

CVE-2015-6587

    vlserver allowed remote authenticated users to cause a denial of service
    (out-of-bounds read and crash) via a crafted regular expression in a
    VL_ListAttributesN2 RPC.

CVE-2015-7762 and CVE-2015-7763 ("Tattletale")

    John Stumpo found that Rx ACK packets leaked plaintext of packets
    previously processed.


For Debian 6 "Squeeze", these problems have been fixed in openafs version
1.4.12.1+dfsg-4+squeeze4.

We recommend that you upgrade your OpenAFS packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/ 

Attachment: signature.asc
Description: Digital signature


Reply to: