CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
96.0%
Russ Allbery uploaded new packages for openafs (a distributed file system)
which fixed the following security problems:
CVE-2009-1251
An attacker with control of a file server or the ability to forge RX
packets may be able to execute arbitrary code in kernel mode on an
OpenAFS client, due to a vulnerability in XDR array decoding.
CVE-2009-1250
An attacker with control of a file server or the ability to forge RX
packets may crash OpenAFS clients because of wrongly handled error
return codes in the kernel module.
For the etch-backports distribution, the problem has been fixed in version
1.4.10+dfsg1-1~bpo40+1. There was no previous lenny backport of this
package, so the fixed packages available through normal Debian security
channels will work, but 1.4.10+dfsg1-1~bpo50+1 are also available (or will
be available soon) from lenny-backports so that the etch-backports version
wouldn't be higher than the lenny-backports version.
If you don't use pinning
(http://backports.org/dokuwiki/doku.php?id=instructions) you have to
update the package manually via apt-get -t etch-backports install. You
should upgrade any of the following binary packages that you have
installed:
libopenafs-dev
libpam-openafs-kaserver
openafs-client
openafs-dbg
openafs-dbserver
openafs-doc
openafs-fileserver
openafs-kpasswd
openafs-krb5
openafs-modules-source
to keep versions consistent, but openafs-modules-source is the critical
package with the security fix.
We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 200
Note that in order to apply this security update, you must rebuild the
OpenAFS kernel module. Be sure to upgrade openafs-modules-source, build a
new kernel module for your system following the instructions in
/usr/share/doc/openafs-client/README.modules.gz, and then either stop and
restart openafs-client or reboot the system to reload the kernel module.
β
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
Attachment:
pgpa2tak3jRUp.pgp
Description: PGP signature
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 4 | amd64 | openafs-dbserver | <Β 1.4.2-6etch2 | openafs-dbserver_1.4.2-6etch2_amd64.deb |
Debian | 4 | s390 | openafs-fileserver | <Β 1.4.2-6etch3 | openafs-fileserver_1.4.2-6etch3_s390.deb |
Debian | 5 | amd64 | openafs-krb5 | <Β 1.4.7.dfsg1-6+lenny1 | openafs-krb5_1.4.7.dfsg1-6+lenny1_amd64.deb |
Debian | 4 | powerpc | openafs-fileserver | <Β 1.4.2-6etch2 | openafs-fileserver_1.4.2-6etch2_powerpc.deb |
Debian | 4 | i386 | openafs-dbg | <Β 1.4.2-6etch2 | openafs-dbg_1.4.2-6etch2_i386.deb |
Debian | 4 | i386 | openafs-dbserver | <Β 1.4.2-6etch2 | openafs-dbserver_1.4.2-6etch2_i386.deb |
Debian | 5 | s390 | libopenafs-dev | <Β 1.4.7.dfsg1-6+lenny1 | libopenafs-dev_1.4.7.dfsg1-6+lenny1_s390.deb |
Debian | 5 | arm | openafs-kpasswd | <Β 1.4.7.dfsg1-6+lenny1 | openafs-kpasswd_1.4.7.dfsg1-6+lenny1_arm.deb |
Debian | 5 | ia64 | libopenafs-dev | <Β 1.4.7.dfsg1-6+lenny1 | libopenafs-dev_1.4.7.dfsg1-6+lenny1_ia64.deb |
Debian | 5 | armel | libopenafs-dev | <Β 1.4.7.dfsg1-6+lenny1 | libopenafs-dev_1.4.7.dfsg1-6+lenny1_armel.deb |