* SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
vos -encrypt doesn't encrypt connection data.
Buffer overflows which could cause a serverside denial of service.
- openafs-sa-2013-001.patch: Fix fileserver buffer overflow when parsing
client-supplied ACL entries and protect against client parsing of
bad ACL entries. Thanks to Nickolai Zeldovich.
- openafs-sa-2013-002.patch: Fix ptserver buffer overflow via integer
overflow in the IdToName RPC. Thanks to Nickolai Zeldovich
- 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
- 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
- 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
- 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
- 0005-Move-akimpersonate-to-libauth.patch
- 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
- 0007-auth-Do-not-always-fallback-to-noauth.patch
- 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
- 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
- 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
- 0011 skipped because it was a version bump
- 0012-ubik-Fix-encryption-selection-in-ugen.patch
- Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
Andrew Deason, and Michael Meffie for the above patch series.
- swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
Kaseorg.
- OPENAFS-SA-2013-001
- OPENAFS-SA-2013-002
- OPENAFS-SA-2013-003
- OPENAFS-SA-2013-004
- CVE-2013-1794
- CVE-2013-1795
- CVE-2013-4134
- CVE-2013-4135
- LP: #1145560
- LP: #1204195
* Remove debian/source/options, which previously force-collaped the above
patches into one debian/patches/debian-changes and caused confusing patch
failures later. Thanks to Colin Watson for help with debugging and to
Seth Arnold for identifying the failure.
-- Luke Faraone <email address hidden> Wed, 24 Jul 2013 11:16:48 -0400
This bug was fixed in the package openafs - 1.6.1-2+ubuntu2.1
---------------
openafs (1.6.1-2+ubuntu2.1) quantal-security; urgency=high
* SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell. sa-2013- 001.patch: Fix fileserver buffer overflow when parsing supplied ACL entries and protect against client parsing of sa-2013- 002.patch: Fix ptserver buffer overflow via integer rxkad-server- hook-function- to-decrypt- more-types. patch optional- rxkad-functiona lity-for- decypting- krb5-.patch keytab- based-decryptio n-into- afsconf_ Build.patch DES-fcrypt- session- key-from- other-key- types.patch akimpersonate- to-libauth. patch up-akimpersonat e-and-use- for-server- to-server. patch Do-not- always- fallback- to-noauth. patch calling- afsconf_ GetLatestKey- directly. patch rxkad.keytab- on-CellServDB- modification. patch support- for-deriving- DES-keys- to-klog. krb5.patch Fix-encryption- selection- in-ugen. patch source/ options, which previously force-collaped the above patches/ debian- changes and caused confusing patch
vos -encrypt doesn't encrypt connection data.
Buffer overflows which could cause a serverside denial of service.
- openafs-
client-
bad ACL entries. Thanks to Nickolai Zeldovich.
- openafs-
overflow in the IdToName RPC. Thanks to Nickolai Zeldovich
- 0001-Add-
- 0002-New-
- 0003-Integrate-
- 0004-Derive-
- 0005-Move-
- 0006-Clean-
- 0007-auth-
- 0008-Avoid-
- 0009-Reload-
- 0010-Add-
- 0011 skipped because it was a version bump
- 0012-ubik-
- Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
Andrew Deason, and Michael Meffie for the above patch series.
- swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
Kaseorg.
- OPENAFS-SA-2013-001
- OPENAFS-SA-2013-002
- OPENAFS-SA-2013-003
- OPENAFS-SA-2013-004
- CVE-2013-1794
- CVE-2013-1795
- CVE-2013-4134
- CVE-2013-4135
- LP: #1145560
- LP: #1204195
* Remove debian/
patches into one debian/
failures later. Thanks to Colin Watson for help with debugging and to
Seth Arnold for identifying the failure.
-- Luke Faraone <email address hidden> Wed, 24 Jul 2013 11:16:48 -0400