Debian Security Advisory
DLA-342-1 openafs -- LTS security update
- Date Reported:
- 18 Nov 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-3282, CVE-2015-3283, CVE-2015-3285, CVE-2015-6587, CVE-2015-7762, CVE-2015-7763.
- More information:
Several vulnerabilities have been found and solved in the distributed file system OpenAFS:
vos leaked stack data clear on the wire when updating vldb entries.
OpenAFS allowed remote attackers to spoof bos commands via unspecified vectors.
pioctl wrongly used the pointer related to the RPC, allowing local users to cause a denial of service (memory corruption and kernel panic) via a crafted OSD FS command.
vlserver allowed remote authenticated users to cause a denial of service (out-of-bounds read and crash) via a crafted regular expression in a VL_ListAttributesN2 RPC.
- CVE-2015-7762 and CVE-2015-7763 ("Tattletale")
John Stumpo found that Rx ACK packets leaked plaintext of packets previously processed.
For Debian 6
Squeeze, these problems have been fixed in openafs version 126.96.36.199+dfsg-4+squeeze4.
We recommend that you upgrade your OpenAFS packages.