[SECURITY] [DLA 1513-1] openafs security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : openafs
Version : 1.6.9-2+deb8u8
CVE ID : CVE-2018-16947 CVE-2018-16948 CVE-2018-16949
Debian Bug : 908616
Several security vulnerabilities were discovered in OpenAFS, a
distributed file system.
CVE-2018-16947
The backup tape controller process accepts incoming RPCs but does
not require (or allow for) authentication of those RPCs. Handling
those RPCs results in operations being performed with administrator
credentials, including dumping/restoring volume contents and
manipulating the backup database.
CVE-2018-16948
Several RPC server routines did not fully initialize their output
variables before returning, leaking memory contents from both the
stack and the heap. Because the OpenAFS cache manager functions as
an Rx server for the AFSCB service, clients are also susceptible to
information leakage.
CVE-2018-16949
Several data types used as RPC input variables were implemented as
unbounded array types, limited only by the inherent 32-bit length
field to 4GB. An unauthenticated attacker could send, or claim to
send, large input values and consume server resources waiting for
those inputs, denying service to other valid connections.
For Debian 8 "Jessie", these problems have been fixed in version
1.6.9-2+deb8u8.
We recommend that you upgrade your openafs packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlulL3JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSFiQ/+N5zSKU33vo/yZjWbjRWnciclAiybLLkG4eH7ww9j6jpXn4HLAd2wP7pA
arKZid6/fjanAXi7qm/juZchCQ5YFTZQYbvykQl+y6RW5o7CUXzZ0nWVum+iwY6C
aF08w6ENFcEzMTRps5mYzpaAKQ42uCKZtvNCP7n4ef/DEPAgyhm9RZTI/4paGnXX
CcrLsQV3uRtUSMsjR3qRs1UOr2GqAce+0xN5AnGq4+Jf77a4OB7zJ67/hMGh5LoI
6Fv6QEM4M4ulH+3TvDe0EVYrWLgjZXr8ecYK4K7p23giDYDEOIIb1H6bA7ULwFph
v2rg6azMCG6fO0FAN63d4ZAPkjUS3qQrnqucF8DRTCMf5C4rJ6g3jXYGt1l3GNGQ
zMu0Dj2rnCMPpoEwJiVmbbgr2xbtiGa1VIr0y4Jlm2/6kwgCi9q7pkdp3oLhNdyQ
0QlX/GxivBfRwUgrAWx4VhNPOSYKi3gTk+TKxCr7lFxhVeAd/gq7Kygc8L36+Fpt
aSbGYq+x6foFsVkLNRjoW8VSPSPaINQs8I1czMvJbuQz5xgDEGxSFXZCsiyrxMkT
Soy7uhE43o528oKLL8h9fcKphA95Dh/VIfmIobIRXmlWcbCrfRBUQhfvjsPppcCi
IasV3LbehwoHqzg8v9XTzgmNOBMJoI9EkrO+sNFDq8+x9PqUPaw=
=Qwif
-----END PGP SIGNATURE-----
Reply to: