[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Backports-security-announce] Security Update for openafs



Russ Allbery uploaded new packages for openafs (a distributed file system)
which fixed the following security problems:

CVE-2009-1251

    An attacker with control of a file server or the ability to forge RX
    packets may be able to execute arbitrary code in kernel mode on an
    OpenAFS client, due to a vulnerability in XDR array decoding.

CVE-2009-1250

    An attacker with control of a file server or the ability to forge RX
    packets may crash OpenAFS clients because of wrongly handled error
    return codes in the kernel module.

For the etch-backports distribution, the problem has been fixed in version
1.4.10+dfsg1-1~bpo40+1.  There was no previous lenny backport of this
package, so the fixed packages available through normal Debian security
channels will work, but 1.4.10+dfsg1-1~bpo50+1 are also available (or will
be available soon) from lenny-backports so that the etch-backports version
wouldn't be higher than the lenny-backports version.

Upgrade instructions
--------------------
  
If you don't use pinning
(http://backports.org/dokuwiki/doku.php?id=instructions) you have to
update the package manually via apt-get -t etch-backports install.  You
should upgrade any of the following binary packages that you have
installed:

    libopenafs-dev
    libpam-openafs-kaserver
    openafs-client
    openafs-dbg
    openafs-dbserver
    openafs-doc
    openafs-fileserver
    openafs-kpasswd
    openafs-krb5
    openafs-modules-source

to keep versions consistent, but openafs-modules-source is the critical
package with the security fix.

We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically.
  
    Package: *
    Pin: release a=lenny-backports
    Pin-Priority: 200

Note that in order to apply this security update, you must rebuild the
OpenAFS kernel module.  Be sure to upgrade openafs-modules-source, build a
new kernel module for your system following the instructions in
/usr/share/doc/openafs-client/README.modules.gz, and then either stop and
restart openafs-client or reboot the system to reload the kernel module.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Attachment: pgpyHj7Eet4gh.pgp
Description: PGP signature


Reply to: