[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 342-1] openafs security update

Package        : openafs
Version        :
CVE ID         : CVE-2015-3282 CVE-2015-3283 CVE-2015-3285 CVE-2015-6587
                 CVE-2015-7762 CVE-2015-7763

Several vulnerabilities have been found and solved in the distributed file
system OpenAFS:


    vos leaked stack data clear on the wire when updating vldb entries.


    OpenAFS allowed remote attackers to spoof bos commands via unspecified


    pioctl wrongly used the pointer related to the RPC, allowing local users to
    cause a denial of service (memory corruption and kernel panic) via a
    crafted OSD FS command.


    vlserver allowed remote authenticated users to cause a denial of service
    (out-of-bounds read and crash) via a crafted regular expression in a
    VL_ListAttributesN2 RPC.

CVE-2015-7762 and CVE-2015-7763 ("Tattletale")

    John Stumpo found that Rx ACK packets leaked plaintext of packets
    previously processed.

For Debian 6 "Squeeze", these problems have been fixed in openafs version

We recommend that you upgrade your OpenAFS packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/ 

Attachment: signature.asc
Description: Digital signature

Reply to: