[SECURITY] [DLA 1513-1] openafs security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1513-1] openafs security update
From: Markus Koschany <apo@debian.org>
Date: Fri, 21 Sep 2018 19:50:43 +0200
Message-id: <[🔎] dc813b16-ea50-60b4-78e7-e0e925ff5a20@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : openafs
Version        : 1.6.9-2+deb8u8
CVE ID         : CVE-2018-16947 CVE-2018-16948 CVE-2018-16949
Debian Bug     : 908616

Several security vulnerabilities were discovered in OpenAFS, a
distributed file system.

CVE-2018-16947

    The backup tape controller process accepts incoming RPCs but does
    not require (or allow for) authentication of those RPCs. Handling
    those RPCs results in operations being performed with administrator
    credentials, including dumping/restoring volume contents and
    manipulating the backup database.

CVE-2018-16948

    Several RPC server routines did not fully initialize their output
    variables before returning, leaking memory contents from both the
    stack and the heap. Because the OpenAFS cache manager functions as
    an Rx server for the AFSCB service, clients are also susceptible to
    information leakage.

CVE-2018-16949

    Several data types used as RPC input variables were implemented as
    unbounded array types, limited only by the inherent 32-bit length
    field to 4GB. An unauthenticated attacker could send, or claim to
    send, large input values and consume server resources waiting for
    those inputs, denying service to other valid connections.


For Debian 8 "Jessie", these problems have been fixed in version
1.6.9-2+deb8u8.

We recommend that you upgrade your openafs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlulL3JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSFiQ/+N5zSKU33vo/yZjWbjRWnciclAiybLLkG4eH7ww9j6jpXn4HLAd2wP7pA
arKZid6/fjanAXi7qm/juZchCQ5YFTZQYbvykQl+y6RW5o7CUXzZ0nWVum+iwY6C
aF08w6ENFcEzMTRps5mYzpaAKQ42uCKZtvNCP7n4ef/DEPAgyhm9RZTI/4paGnXX
CcrLsQV3uRtUSMsjR3qRs1UOr2GqAce+0xN5AnGq4+Jf77a4OB7zJ67/hMGh5LoI
6Fv6QEM4M4ulH+3TvDe0EVYrWLgjZXr8ecYK4K7p23giDYDEOIIb1H6bA7ULwFph
v2rg6azMCG6fO0FAN63d4ZAPkjUS3qQrnqucF8DRTCMf5C4rJ6g3jXYGt1l3GNGQ
zMu0Dj2rnCMPpoEwJiVmbbgr2xbtiGa1VIr0y4Jlm2/6kwgCi9q7pkdp3oLhNdyQ
0QlX/GxivBfRwUgrAWx4VhNPOSYKi3gTk+TKxCr7lFxhVeAd/gq7Kygc8L36+Fpt
aSbGYq+x6foFsVkLNRjoW8VSPSPaINQs8I1czMvJbuQz5xgDEGxSFXZCsiyrxMkT
Soy7uhE43o528oKLL8h9fcKphA95Dh/VIfmIobIRXmlWcbCrfRBUQhfvjsPppcCi
IasV3LbehwoHqzg8v9XTzgmNOBMJoI9EkrO+sNFDq8+x9PqUPaw=
=Qwif
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1512-1] sympa security update
Next by Date: [SECURITY] [DLA 1514-1] texlive-bin security update
Previous by thread: [SECURITY] [DLA 1512-1] sympa security update
Next by thread: [SECURITY] [DLA 1514-1] texlive-bin security update
Index(es):
- Date
- Thread