[SECURITY] [DLA 342-1] openafs security update

2015-11-1808:30:53

lists.debian.org

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.6%

JSON

Package : openafs
Version : 1.4.12.1+dfsg-4+squeeze4
CVE ID : CVE-2015-3282 CVE-2015-3283 CVE-2015-3285 CVE-2015-6587
CVE-2015-7762 CVE-2015-7763

Several vulnerabilities have been found and solved in the distributed file
system OpenAFS:

CVE-2015-3282

vos leaked stack data clear on the wire when updating vldb entries.

CVE-2015-3283

OpenAFS allowed remote attackers to spoof bos commands via unspecified
vectors.

CVE-2015-3285

pioctl wrongly used the pointer related to the RPC, allowing local users to
cause a denial of service (memory corruption and kernel panic) via a
crafted OSD FS command.

CVE-2015-6587

vlserver allowed remote authenticated users to cause a denial of service
(out-of-bounds read and crash) via a crafted regular expression in a
VL_ListAttributesN2 RPC.

CVE-2015-7762 and CVE-2015-7763 ("Tattletale")

John Stumpo found that Rx ACK packets leaked plaintext of packets
previously processed.

For Debian 6 "Squeeze", these problems have been fixed in openafs version
1.4.12.1+dfsg-4+squeeze4.

We recommend that you upgrade your OpenAFS packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/

OSVersionArchitecturePackageVersionFilename
Debian6allopenafs-dbg< 1.4.12.1+dfsg-4+squeeze4openafs-dbg_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian6alllibopenafs-dev< 1.4.12.1+dfsg-4+squeeze4libopenafs-dev_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian6allopenafs-kpasswd< 1.4.12.1+dfsg-4+squeeze4openafs-kpasswd_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian6allopenafs-modules-dkms< 1.4.12.1+dfsg-4+squeeze4openafs-modules-dkms_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian6allopenafs-modules-source< 1.4.12.1+dfsg-4+squeeze4openafs-modules-source_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian6allopenafs-krb5< 1.4.12.1+dfsg-4+squeeze4openafs-krb5_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian6allopenafs-fileserver< 1.4.12.1+dfsg-4+squeeze4openafs-fileserver_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian6allopenafs-dbserver< 1.4.12.1+dfsg-4+squeeze4openafs-dbserver_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian6allopenafs< 1.4.12.1+dfsg-4+squeeze4openafs_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian6alllibpam-openafs-kaserver< 1.4.12.1+dfsg-4+squeeze4libpam-openafs-kaserver_1.4.12.1+dfsg-4+squeeze4_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	all	openafs-dbg	< 1.4.12.1+dfsg-4+squeeze4	openafs-dbg_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian	6	all	libopenafs-dev	< 1.4.12.1+dfsg-4+squeeze4	libopenafs-dev_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian	6	all	openafs-kpasswd	< 1.4.12.1+dfsg-4+squeeze4	openafs-kpasswd_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian	6	all	openafs-modules-dkms	< 1.4.12.1+dfsg-4+squeeze4	openafs-modules-dkms_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian	6	all	openafs-modules-source	< 1.4.12.1+dfsg-4+squeeze4	openafs-modules-source_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian	6	all	openafs-krb5	< 1.4.12.1+dfsg-4+squeeze4	openafs-krb5_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian	6	all	openafs-fileserver	< 1.4.12.1+dfsg-4+squeeze4	openafs-fileserver_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian	6	all	openafs-dbserver	< 1.4.12.1+dfsg-4+squeeze4	openafs-dbserver_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian	6	all	openafs	< 1.4.12.1+dfsg-4+squeeze4	openafs_1.4.12.1+dfsg-4+squeeze4_all.deb
Debian	6	all	libpam-openafs-kaserver	< 1.4.12.1+dfsg-4+squeeze4	libpam-openafs-kaserver_1.4.12.1+dfsg-4+squeeze4_all.deb