Hi there, I see that Debian packages have been patched to correct the two CVE (1.4.12.1+dfsg-4).
I'd like to know if ubuntu packages could receive the same love ! Thank you. Thomas. On Tue, Feb 22, 2011 at 10:59 PM, Simon Wilkinson <[email protected]> wrote: > > On 22 Feb 2011, at 18:53, Andrew Deason wrote: > > > On Tue, 22 Feb 2011 13:50:26 -0500 > > Jack Neely <[email protected]> wrote: > > > >> Folks, > >> > >> I've just come across CVE-2011-0430 and CVE-2011-0431 both against > >> OpenAFS 1.4.14. Both CVEs site 1.4.14 as affected, but as far as I can > >> tell these issues were fixed in the 1.4.14 upstream release. > >> > >> Can anyone confirm if those bugs have been corrected in 1.4.14? > > > > The CVEs are incorrect; both issues were fixed in 1.4.14. An official > > announcement from openafs.org about these issues will hopefully be > > available soon. > > For various reasons (none of them to do with Debian), Debian publicised > those CVEs, and their corresponding security release, before we were ready > to publish our advisory. Sadly, we're now left playing catch up. > > Even more sadly, the text that Debian registered for those CVEs is, as > Andrew indicates, incorrect. > > CVE-2011-0430 affects only RX servers using rxkad authentication. This > means fileservers and database servers, but NOT the cache manager. A remote > attacker may cause such a server to crash. The bug is present from 1.2.8 > thru 1.4.12.1 and 1.5.0 thru 1.5.74 > > CVE-2001-0431 is a bug in the Linux cache manager. A local attacker with > access to the AFS file space may cause the cache manager to oops. This bug > is present from 1.4.11 thru 1.4.12.1 and 1.5.61 thru 1.5.74. Note that it is > rare that kernel bugs which causes oopses result in security advisories. > Left to our own devices, OpenAFS would probably not have issued an advisory > for this issue. > > 1.4.14 fixes both of these issues. > > Hopefully I'll get the website updated shortly. In the mean time, if you > would like patches for older versions of OpenAFS, they are available using > the following git SHA1s: > > 0430 is fixed by 707a959c96b01506f6d8eacbbf47a872af882626 > 0431 is fixed by beaf16069ed9a9f3355adfdf5e03b2bb28c21a8a > > Cheers, > > Simon. > > _______________________________________________ > OpenAFS-devel mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-devel >
