[SECURITY] [DSA 2899-1] openafs security update

2014-04-0919:59:09

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

AI Score

6.3

Confidence

High

EPSS

0.3

Percentile

97.0%

JSON

Debian Security Advisory DSA-2899-1 [email protected]
http://www.debian.org/security/ Thijs Kinkhorst
April 09, 2014 http://www.debian.org/security/faq

Package : openafs
CVE ID : CVE-2014-0159

Michael Meffie discovered that in OpenAFS, a distributed filesystem,
an attacker with the ability to connect to an OpenAFS fileserver can
trigger a buffer overflow, crashing the fileserver, and potentially
permitting the execution of arbitrary code.

In addition, this update addresses a minor denial of service issue:
the listerer thread of the server will hang for about one second when
receiving an invalid packet, giving the opportunity to slow down
the server to an unusable state by sending such packets.

For the oldstable distribution (squeeze), this problem has been fixed
in version 1.4.12.1+dfsg-4+squeeze3.

For the stable distribution (wheezy), this problem has been fixed in
version 1.6.1-3+deb7u2.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.7-1.

We recommend that you upgrade your openafs packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7s390xopenafs-client< 1.6.1-3+deb7u2openafs-client_1.6.1-3+deb7u2_s390x.deb
Debian7armhfopenafs-dbserver< 1.6.1-3+deb7u2openafs-dbserver_1.6.1-3+deb7u2_armhf.deb
Debian7powerpcopenafs-fuse< 1.6.1-3+deb7u2openafs-fuse_1.6.1-3+deb7u2_powerpc.deb
Debian7ia64openafs-krb5< 1.6.1-3+deb7u2openafs-krb5_1.6.1-3+deb7u2_ia64.deb
Debian6allopenafs< 1.4.12.1+dfsg-4+squeeze3openafs_1.4.12.1+dfsg-4+squeeze3_all.deb
Debian6armelopenafs-kpasswd< 1.4.12.1+dfsg-4+squeeze3openafs-kpasswd_1.4.12.1+dfsg-4+squeeze3_armel.deb
Debian6allopenafs-doc< 1.4.12.1+dfsg-4+squeeze3openafs-doc_1.4.12.1+dfsg-4+squeeze3_all.deb
Debian7sparcopenafs-dbg< 1.6.1-3+deb7u2openafs-dbg_1.6.1-3+deb7u2_sparc.deb
Debian6amd64openafs-dbg< 1.4.12.1+dfsg-4+squeeze3openafs-dbg_1.4.12.1+dfsg-4+squeeze3_amd64.deb
Debian7i386libkopenafs1< 1.6.1-3+deb7u2libkopenafs1_1.6.1-3+deb7u2_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	s390x	openafs-client	< 1.6.1-3+deb7u2	openafs-client_1.6.1-3+deb7u2_s390x.deb
Debian	7	armhf	openafs-dbserver	< 1.6.1-3+deb7u2	openafs-dbserver_1.6.1-3+deb7u2_armhf.deb
Debian	7	powerpc	openafs-fuse	< 1.6.1-3+deb7u2	openafs-fuse_1.6.1-3+deb7u2_powerpc.deb
Debian	7	ia64	openafs-krb5	< 1.6.1-3+deb7u2	openafs-krb5_1.6.1-3+deb7u2_ia64.deb
Debian	6	all	openafs	< 1.4.12.1+dfsg-4+squeeze3	openafs_1.4.12.1+dfsg-4+squeeze3_all.deb
Debian	6	armel	openafs-kpasswd	< 1.4.12.1+dfsg-4+squeeze3	openafs-kpasswd_1.4.12.1+dfsg-4+squeeze3_armel.deb
Debian	6	all	openafs-doc	< 1.4.12.1+dfsg-4+squeeze3	openafs-doc_1.4.12.1+dfsg-4+squeeze3_all.deb
Debian	7	sparc	openafs-dbg	< 1.6.1-3+deb7u2	openafs-dbg_1.6.1-3+deb7u2_sparc.deb
Debian	6	amd64	openafs-dbg	< 1.4.12.1+dfsg-4+squeeze3	openafs-dbg_1.4.12.1+dfsg-4+squeeze3_amd64.deb
Debian	7	i386	libkopenafs1	< 1.6.1-3+deb7u2	libkopenafs1_1.6.1-3+deb7u2_i386.deb