[SECURITY] [DLA 1982-1] openafs security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1982-1] openafs security update
From: Markus Koschany <apo@debian.org>
Date: Wed, 6 Nov 2019 01:08:55 +0100
Message-id: <[🔎] f7ffbdf4-5e2f-4e56-865f-7b7f9bc62301@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : openafs
Version        : 1.6.9-2+deb8u9
CVE ID         : CVE-2019-18601 CVE-2019-18602 CVE-2019-18603
Debian Bug     : 943587

Several security vulnerabilities were discovered in OpenAFS, a
distributed file system.

CVE-2019-18601

    OpenAFS is prone to denial of service from unserialized data access
    because remote attackers can make a series of VOTE_Debug RPC calls
    to crash a database server within the SVOTE_Debug RPC handler.

CVE-2019-18602

    OpenAFS is prone to an information disclosure vulnerability because
    uninitialized scalars are sent over the network to a peer.

CVE-2019-18603

    OpenAFS is prone to information leakage upon certain error
    conditions because uninitialized RPC output variables are sent over
    the network to a peer.

For Debian 8 "Jessie", these problems have been fixed in version
1.6.9-2+deb8u9.

We recommend that you upgrade your openafs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl3CDxdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSUUg/+MYSPighw/0EvL1S/VaJQlde/Epz0VSuebd8YxYKuvlxQ7m/dKfU2dtq5
AhJm0H2GRqOGCJr23CFv0g+fs8W9kYcgdZ26an2JZPV68oigSiIyMAh+W+/BYkgw
/mHXe+9KfaRbUdMermaW7ag99JYkvdKmZSfM5/v5RVum3CNSWSd0dG/qKDa/cVOs
RRTTCVtKjGhTHw46RK17z7Z7FCTPXeZu+tqvKb8K2MxhksNTHUe2+CdRmyvTj41Q
QnTUkRDlyYkIfR5HX3JmbFTzZNKHOnt9jcMxsHJXT7Oq0R08Qjc7uY0IPS09Csjz
K+UmYNwfwJRCSFJUV1UuptrZjT2YWkr7lPBwpxbuMsi4gNTZpnTn7WiAWl7Tfn2/
JXKbzA+PJDt2V+r9CWk+ACxbG1DTGChgrVRtJi/5NjczDHjJcmXd/DwBRgOObgls
ZvbHvtqySyXuX5aMxDPk0LjTb+z/Zl/8vbmYuSWS7WAIgjiurH30N3qdjRjpeS+V
pN45yioaeJqjz+6qodOiCP4pJv7OyXey/aJNAbDdOtwCzAqiV6KCkpAR7D64GUtY
6xThFrbB3AKAjZ3oQGp2czbiB9r0xIvdh6mOM+jh7rEOvwG9yW8Jvm2bzOAOwcPZ
cjTfqJQQXQ+VanocEQof0rBwR/8vxX05D8AMn/sVbVfzTeW0ZOM=
=sePJ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1981-1] cpio security update
Next by Date: [SECURITY] [DLA 1983-1] simplesamlphp security update
Previous by thread: [SECURITY] [DLA 1981-1] cpio security update
Next by thread: [SECURITY] [DLA 1983-1] simplesamlphp security update
Index(es):
- Date
- Thread