[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 493-1] openafs security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : openafs
Version        : 1.6.1-3+deb7u6
CVE ID         : CVE-2015-8312 CVE-2016-2860 CVE-2016-4536

 * CVE-2015-8312:
   Off-by-one error in afs_pioctl.c in OpenAFS before 1.6.16 might allow
   local users to cause a denial of service (memory overwrite and system
   crash) via a pioctl with an input buffer size of 4096 bytes.

 * CVE-2016-2860:
   The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17
   allows remote authenticated users from foreign Kerberos realms to
   bypass intended access restrictions and create arbitrary groups as
   administrators by leveraging mishandling of the creator ID.

 * CVE-2016-4536:
   The client in OpenAFS before 1.6.17 does not properly initialize the
   (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes,
   and (4) ListAddrByAttributes structures, which might allow remote
   attackers to obtain sensitive memory information by leveraging access
   to RPC call traffic.


For Debian 7 "Wheezy", these problems have been fixed in version
1.6.1-3+deb7u6.

We recommend that you upgrade your openafs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJXSyOOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHZsIQAJW5DDE8e5ONsqvcR5Oujbuu
MltmdIWNpQefuq8aVUoJyb3l9MaE9EbU2ribGeX8ywhPfM7BxGvBDwdudmSqrkDE
Rrrts9+1vrODDHB8V/oHg3WeQeGVH42ced9ucuAkLIb3OqIOEt91JgCO6Aj3chah
qKVv2C5f9IJIlU0zHp15zHrxGL4o/rTKBDO4XCItpQLqFVA+nFmhoBcda5tdMks0
COLwy6fHy8mXKwE8uaVhehlFriTP3WHnfTN/yphHOXPzb7q4gfauuPWrokpPMH37
Tt+vMa7YiHISk1cN69DvXGSO7x4KP0nlRrrvPy2gB3TGfccOa3i6QPWBY7eHI0I7
8cysIb41CdJ9ZHBXI3cK5JzzC4MzoNQPj7Iny2ZoswikAOZ/+GZOeoYaEbcg4+qH
jo+itc+DuoJsLAVSE2aAXXS/kBQw4uxgTW5DX08SU9DiBv1SxGDNmmiu7ObYpqYT
qhe20yoISmrGSIfTQ5E0pFdv+jP5pjBTtd96mMaEacm5tksvhMRsQi3SZcV2XNJt
rGWV+IK+QVVInGdIMf/m+Cbroah9s8LlM3nTe4BWO5Njdz5vnDeZuuKyDO65VUCI
+jakJEw/v9YtunBarch1tP1eTyxdbNfQoYSvWND40r54qvTc6lkkR0I+HMSOArYr
MyuHb6gNmB7R7zub49Uj
=ATFx
-----END PGP SIGNATURE-----


Reply to: