On 22 Feb 2011, at 18:53, Andrew Deason wrote: > On Tue, 22 Feb 2011 13:50:26 -0500 > Jack Neely <[email protected]> wrote: > >> Folks, >> >> I've just come across CVE-2011-0430 and CVE-2011-0431 both against >> OpenAFS 1.4.14. Both CVEs site 1.4.14 as affected, but as far as I can >> tell these issues were fixed in the 1.4.14 upstream release. >> >> Can anyone confirm if those bugs have been corrected in 1.4.14? > > The CVEs are incorrect; both issues were fixed in 1.4.14. An official > announcement from openafs.org about these issues will hopefully be > available soon.
For various reasons (none of them to do with Debian), Debian publicised those CVEs, and their corresponding security release, before we were ready to publish our advisory. Sadly, we're now left playing catch up. Even more sadly, the text that Debian registered for those CVEs is, as Andrew indicates, incorrect. CVE-2011-0430 affects only RX servers using rxkad authentication. This means fileservers and database servers, but NOT the cache manager. A remote attacker may cause such a server to crash. The bug is present from 1.2.8 thru 1.4.12.1 and 1.5.0 thru 1.5.74 CVE-2001-0431 is a bug in the Linux cache manager. A local attacker with access to the AFS file space may cause the cache manager to oops. This bug is present from 1.4.11 thru 1.4.12.1 and 1.5.61 thru 1.5.74. Note that it is rare that kernel bugs which causes oopses result in security advisories. Left to our own devices, OpenAFS would probably not have issued an advisory for this issue. 1.4.14 fixes both of these issues. Hopefully I'll get the website updated shortly. In the mean time, if you would like patches for older versions of OpenAFS, they are available using the following git SHA1s: 0430 is fixed by 707a959c96b01506f6d8eacbbf47a872af882626 0431 is fixed by beaf16069ed9a9f3355adfdf5e03b2bb28c21a8a Cheers, Simon. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
