| 2009-04-07 08:01:42 |
Anders Kaseorg |
bug |
|
|
added bug |
| 2009-04-07 08:01:51 |
Anders Kaseorg |
visibility |
private |
public |
|
| 2009-04-07 12:33:18 |
Marc Deslauriers |
openafs (Ubuntu): status |
New |
Confirmed |
|
| 2009-04-07 22:03:18 |
Anders Kaseorg |
bug |
|
|
added subscriber Ubuntu Sponsors for universe |
| 2009-04-07 22:06:10 |
Anders Kaseorg |
nominated for series |
|
Ubuntu Dapper |
|
| 2009-04-07 22:06:10 |
Anders Kaseorg |
nominated for series |
|
Ubuntu Gutsy |
|
| 2009-04-07 22:06:10 |
Anders Kaseorg |
nominated for series |
|
Ubuntu Jaunty |
|
| 2009-04-07 22:06:10 |
Anders Kaseorg |
nominated for series |
|
Ubuntu Hardy |
|
| 2009-04-07 22:06:10 |
Anders Kaseorg |
nominated for series |
|
Ubuntu Intrepid |
|
| 2009-04-07 22:18:43 |
Anders Kaseorg |
cve linked |
|
2009-1250 |
|
| 2009-04-07 22:18:43 |
Anders Kaseorg |
cve linked |
|
2009-1251 |
|
| 2009-04-11 02:59:05 |
Anders Kaseorg |
bug |
|
|
added subscriber MOTU Stable Release Updates |
| 2009-04-14 19:04:35 |
Evan Broder |
attachment added |
|
Patch for Hardy http://launchpadlibrarian.net/25465370/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff |
|
| 2009-04-14 19:39:56 |
Kees Cook |
bug task added |
|
openafs (Ubuntu Dapper) |
|
| 2009-04-14 19:41:06 |
Kees Cook |
bug task added |
|
openafs (Ubuntu Hardy) |
|
| 2009-04-14 19:59:03 |
Evan Broder |
attachment removed |
Patch for Hardy http://launchpadlibrarian.net/25465370/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff |
|
|
| 2009-04-14 19:59:57 |
Evan Broder |
attachment added |
|
openafs_1.4.6.dfsg1-2+ubuntu0.1.debdiff http://launchpadlibrarian.net/25466938/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff |
|
| 2009-04-14 20:24:09 |
Evan Broder |
openafs (Ubuntu Hardy): status |
New |
In Progress |
|
| 2009-04-14 20:44:28 |
Evan Broder |
cve linked |
|
2007-6599 |
|
| 2009-04-14 20:44:28 |
Evan Broder |
attachment added |
|
openafs_1.4.1-2+ubuntu0.1.debdiff http://launchpadlibrarian.net/25468149/openafs_1.4.1-2%2Bubuntu0.1.debdiff |
|
| 2009-04-14 20:59:56 |
Kees Cook |
bug task added |
|
openafs (Ubuntu Jaunty) |
|
| 2009-04-14 21:00:13 |
Kees Cook |
bug task added |
|
openafs (Ubuntu Intrepid) |
|
| 2009-04-14 21:20:35 |
Evan Broder |
openafs (Ubuntu Dapper): status |
New |
In Progress |
|
| 2009-04-15 14:22:22 |
Evan Broder |
attachment added |
|
buildlog_ubuntu-jaunty-amd64.openafs_1.4.10+dfsg1-1~broder1.txt http://launchpadlibrarian.net/25492520/buildlog_ubuntu-jaunty-amd64.openafs_1.4.10%2Bdfsg1-1%7Ebroder1.txt |
|
| 2009-04-15 14:22:55 |
Evan Broder |
attachment added |
|
openafs-1.4.10_install_and_test_log.txt http://launchpadlibrarian.net/25492542/openafs-1.4.10_install_and_test_log.txt |
|
| 2009-04-15 14:31:03 |
Evan Broder |
summary |
OpenAFS Security Advisories 2009-001 and 2009-002 |
[FinalFreezeException] OpenAFS Security Advisories 2009-001 and 2009-002 |
|
| 2009-04-15 14:31:03 |
Evan Broder |
description |
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
We're requesting a final freeze exception for this package in Jaunty to sync version 1.4.10+dfsg1-1 from Debian.
Version 1.4.10 includes the patches for OPENAFS-SA-2009-001 and OPENAFS-SA-2009-002, but also includes several other bugfixes, including support for new kernel versions, several memory management issues, and some poor interaction with inotify.
The openafs binary packages have no reverse dependencies, except for other openafs packages, so this update shouldn't affect other packages.
===
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
|
| 2009-04-15 14:31:33 |
Evan Broder |
bug |
|
|
added subscriber MOTU Release Team |
| 2009-04-15 14:55:50 |
Evan Broder |
attachment added |
|
openafs-1.4.10_alldeltas.txt http://launchpadlibrarian.net/25495186/openafs-1.4.10_alldeltas.txt |
|
| 2009-04-15 15:13:05 |
Luca Falavigna |
openafs (Ubuntu Jaunty): status |
Confirmed |
New |
|
| 2009-04-15 15:17:31 |
Evan Broder |
summary |
[FinalFreezeException] OpenAFS Security Advisories 2009-001 and 2009-002 |
OpenAFS Security Advisories 2009-001 and 2009-002 |
|
| 2009-04-15 15:17:31 |
Evan Broder |
description |
We're requesting a final freeze exception for this package in Jaunty to sync version 1.4.10+dfsg1-1 from Debian.
Version 1.4.10 includes the patches for OPENAFS-SA-2009-001 and OPENAFS-SA-2009-002, but also includes several other bugfixes, including support for new kernel versions, several memory management issues, and some poor interaction with inotify.
The openafs binary packages have no reverse dependencies, except for other openafs packages, so this update shouldn't affect other packages.
===
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
To fix this for...
Dapper: http://launchpadlibrarian.net/25468149/openafs_1.4.1-2%2Bubuntu0.1.debdiff
Hardy: http://launchpadlibrarian.net/25466938/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff
Intrepid: Sync 1.4.7.dfsg1-6+lenny1 from Debian Lenny.
Jaunty: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff
===
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
|
| 2009-04-15 15:18:07 |
Evan Broder |
openafs (Ubuntu Jaunty): status |
New |
In Progress |
|
| 2009-04-15 18:59:31 |
Anders Kaseorg |
description |
To fix this for...
Dapper: http://launchpadlibrarian.net/25468149/openafs_1.4.1-2%2Bubuntu0.1.debdiff
Hardy: http://launchpadlibrarian.net/25466938/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff
Intrepid: Sync 1.4.7.dfsg1-6+lenny1 from Debian Lenny.
Jaunty: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff
===
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
To fix this for...
Dapper: http://launchpadlibrarian.net/25468149/openafs_1.4.1-2%2Bubuntu0.1.debdiff
Hardy: http://launchpadlibrarian.net/25466938/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff
Intrepid: Sync 1.4.7.dfsg1-6+lenny1 from Debian Lenny.
Jaunty: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.dsc
(debdiff for reference: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff )
===
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
|
| 2009-04-16 14:42:04 |
Marc Deslauriers |
cve linked |
|
2007-1507 |
|
| 2009-04-16 14:42:26 |
Marc Deslauriers |
openafs (Ubuntu Dapper): status |
In Progress |
Incomplete |
|
| 2009-04-16 14:42:26 |
Marc Deslauriers |
openafs (Ubuntu Dapper): assignee |
|
mdeslaur |
|
| 2009-04-16 14:43:02 |
Marc Deslauriers |
openafs (Ubuntu Intrepid): status |
New |
Incomplete |
|
| 2009-04-16 14:43:02 |
Marc Deslauriers |
openafs (Ubuntu Intrepid): assignee |
|
mdeslaur |
|
| 2009-04-16 15:17:38 |
Evan Broder |
attachment removed |
openafs_1.4.1-2+ubuntu0.1.debdiff http://launchpadlibrarian.net/25468149/openafs_1.4.1-2%2Bubuntu0.1.debdiff |
|
|
| 2009-04-16 15:20:03 |
Evan Broder |
attachment added |
|
openafs_1.4.1-2+ubuntu0.1.debdiff http://launchpadlibrarian.net/25541052/openafs_1.4.1-2%2Bubuntu0.1.debdiff |
|
| 2009-04-16 15:22:04 |
Evan Broder |
attachment added |
|
openafs_1.4.7.dfsg1-6+lenny1.debdiff http://launchpadlibrarian.net/25541427/openafs_1.4.7.dfsg1-6%2Blenny1.debdiff |
|
| 2009-04-16 15:24:08 |
Evan Broder |
description |
To fix this for...
Dapper: http://launchpadlibrarian.net/25468149/openafs_1.4.1-2%2Bubuntu0.1.debdiff
Hardy: http://launchpadlibrarian.net/25466938/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff
Intrepid: Sync 1.4.7.dfsg1-6+lenny1 from Debian Lenny.
Jaunty: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.dsc
(debdiff for reference: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff )
===
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
To fix this for...
Dapper: http://launchpadlibrarian.net/25541052/openafs_1.4.1-2%2Bubuntu0.1.debdiff
This additionally fixes OPENAFS-SA-2007-003 (aka CVE-2007-6599 aka bug #180792) and OPENAFS-SA-2007-001 (aka CVE-2007-1507 aka bug #94787)
Hardy: http://launchpadlibrarian.net/25466938/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff
Intrepid: Sync 1.4.7.dfsg1-6+lenny1 from Debian Lenny.
(debdiff for reference: http://launchpadlibrarian.net/25541427/openafs_1.4.7.dfsg1-6%2Blenny1.debdiff)
Jaunty: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.dsc
(debdiff for reference: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff )
===
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
|
| 2009-04-16 15:25:03 |
Evan Broder |
openafs (Ubuntu Dapper): status |
Incomplete |
In Progress |
|
| 2009-04-16 15:25:10 |
Evan Broder |
openafs (Ubuntu Intrepid): status |
Incomplete |
In Progress |
|
| 2009-04-16 18:12:33 |
Marc Deslauriers |
openafs (Ubuntu Intrepid): status |
In Progress |
Incomplete |
|
| 2009-04-16 18:51:09 |
Evan Broder |
attachment added |
|
openafs_1.4.1-2+ubuntu0.1.debdiff http://launchpadlibrarian.net/25552980/openafs_1.4.1-2%2Bubuntu0.1.debdiff |
|
| 2009-04-16 18:51:09 |
Evan Broder |
attachment added |
|
openafs_1.4.6.dfsg1-2+ubuntu0.1.debdiff http://launchpadlibrarian.net/25552981/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff |
|
| 2009-04-16 18:51:09 |
Evan Broder |
attachment added |
|
openafs_1.4.7.dfsg1-6+ubuntu0.1.debdiff http://launchpadlibrarian.net/25552982/openafs_1.4.7.dfsg1-6%2Bubuntu0.1.debdiff |
|
| 2009-04-16 18:52:44 |
Evan Broder |
description |
To fix this for...
Dapper: http://launchpadlibrarian.net/25541052/openafs_1.4.1-2%2Bubuntu0.1.debdiff
This additionally fixes OPENAFS-SA-2007-003 (aka CVE-2007-6599 aka bug #180792) and OPENAFS-SA-2007-001 (aka CVE-2007-1507 aka bug #94787)
Hardy: http://launchpadlibrarian.net/25466938/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff
Intrepid: Sync 1.4.7.dfsg1-6+lenny1 from Debian Lenny.
(debdiff for reference: http://launchpadlibrarian.net/25541427/openafs_1.4.7.dfsg1-6%2Blenny1.debdiff)
Jaunty: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.dsc
(debdiff for reference: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff )
===
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
To fix this for...
Dapper: http://launchpadlibrarian.net/25552980/openafs_1.4.1-2%2Bubuntu0.1.debdiff
This additionally fixes OPENAFS-SA-2007-003 (aka CVE-2007-6599 aka bug #180792) and OPENAFS-SA-2007-001 (aka CVE-2007-1507 aka bug #94787)
Hardy: http://launchpadlibrarian.net/25552981/openafs_1.4.6.dfsg1-2%2Bubuntu0.1.debdiff
Intrepid: http://launchpadlibrarian.net/25552982/openafs_1.4.7.dfsg1-6%2Bubuntu0.1.debdiff
Jaunty: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.9.dfsg1-0+ubuntu1.dsc
(debdiff for reference: http://web.mit.edu/andersk/Public/openafs/openafs_1.4.8.dfsg1-3_1.4.9.dfsg1-0+ubuntu1.debdiff )
===
Two security advisories released today affect all versions of OpenAFS from 1.0 through 1.4.8. They have both been corrected in the simultaneous release of 1.4.9 (which only fixes these two issues over 1.4.8) and 1.4.10 (which also includes other bugfixes). Release announcement:
<http://lists.openafs.org/pipermail/openafs-announce/2009/000285.html>
OPENAFS-SA-2009-001 - Network based buffer overflow attack against Unix cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-001.txt>
AFS's XDR data marshalling language permits the construction of arrays with a size constrained by the interface definition. The XDR decoding language will accept data from the server up to this maximum size, which in some cases is stored into a buffer allocated by the client. In several locations, the AFS client assumes that the server will never return more data than requested, and so allocates a buffer smaller than this maximum size. Whilst this causes no problems when communicating with valid servers, an attacker can return more data than expected, and overflow the client's buffer.
OPENAFS-SA-2009-002 - Denial of service attack against Linux cache manager
<http://www.openafs.org/security/OPENAFS-SA-2009-002.txt>
AFS may pass an error code obtained from the fileserver directly to the Linux kernel, using a Linux mechanism that merges error codes and pointers into a single value. However, this mechanism is unable to distinguish certain error codes from pointers. When AFS returns a code of this type to the kernel, the kernel treats it as a pointer and attempts to dereference it. This causes a kernel panic, and results in a denial of service attack. |
|
| 2009-04-16 18:53:04 |
Evan Broder |
openafs (Ubuntu Intrepid): status |
Incomplete |
In Progress |
|
| 2009-04-16 21:10:30 |
Marc Deslauriers |
openafs (Ubuntu Dapper): status |
In Progress |
Fix Committed |
|
| 2009-04-16 21:10:48 |
Marc Deslauriers |
openafs (Ubuntu Hardy): status |
In Progress |
Fix Committed |
|
| 2009-04-16 21:11:06 |
Marc Deslauriers |
openafs (Ubuntu Intrepid): status |
In Progress |
Fix Committed |
|
| 2009-04-16 22:22:49 |
Launchpad Janitor |
openafs (Ubuntu Jaunty): status |
In Progress |
Fix Released |
|
| 2009-04-20 15:04:38 |
Scott Kitterman |
removed subscriber MOTU Release Team |
|
|
|
| 2009-04-20 20:37:01 |
Launchpad Janitor |
openafs (Ubuntu Intrepid): status |
Fix Committed |
Fix Released |
|
| 2009-04-20 22:12:20 |
Marc Deslauriers |
openafs (Ubuntu Dapper): status |
Fix Committed |
Fix Released |
|
| 2009-04-20 22:12:42 |
Marc Deslauriers |
openafs (Ubuntu Hardy): status |
Fix Committed |
Fix Released |
|
| 2009-07-20 16:20:31 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/dapper-updates/openafs |
|
| 2009-07-20 16:23:07 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/intrepid/openafs/intrepid-security |
|
| 2010-01-02 02:24:45 |
Benjamin Drung |
removed subscriber Ubuntu Sponsors for universe |
|
|
|
| 2013-05-13 05:08:49 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/jaunty/openafs |
|
