OpenAFS Security Advisories 2013-0003 and 2013-0004
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openafs (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Lucid |
Fix Released
|
Critical
|
Unassigned | ||
Precise |
Fix Released
|
Critical
|
Unassigned | ||
Quantal |
Fix Released
|
Critical
|
Unassigned | ||
Raring |
Fix Released
|
Critical
|
Unassigned | ||
Saucy |
Fix Released
|
Critical
|
Unassigned |
Bug Description
The following OpenAFS security issues were reported to the distros mailing list on July 16, 2013, and are due for public release tomorrow, Wednesday, July 24, 2013:
OpenAFS Security Advisory 2013-0003
Topic: Brute force DES attack permits compromise of AFS cell
OpenAFS Security Advisory 2013-0004
Topic: vos -encrypt doesn't encrypt connection data
The upstream releases that fix these problems are 1.4.15 and 1.6.5, due to be released tomorrow. For saucy, you will want 1.6.5-1 from Debian. For precise, quantal, and raring, upstream has provided a sequence of patches (which I will attach) which should apply to the existing releases. For lucid, upstream has provided a sequence of patches which may or may not apply cleanly, or I can provide the patch sequence which was applied for Debian squeeze (which runs a substantially similar version).
Changed in openafs (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in openafs (Ubuntu Raring): | |
status: | New → Confirmed |
Changed in openafs (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in openafs (Ubuntu Lucid): | |
status: | New → Confirmed |
assignee: | nobody → Luke Faraone (lfaraone) |
information type: | Private Security → Public Security |
Changed in openafs (Ubuntu Saucy): | |
status: | Confirmed → Fix Committed |
These patches are from upstream and should apply cleanly to 1.6.4, and only slightly less cleanly to other 1.6.x versions. Patches 0001 through 0010 address OPENAFS- SA-2013- 0003. Patch 0012 addresses OPENAFS- SA-2013- 0004. You probably don't need patch 0011, which is about bumping the version number.