- -------------------------------------------------------------------------
Debian Security Advisory DSA-4302-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 23, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openafs
CVE ID         : CVE-2018-16947 CVE-2018-16948 CVE-2018-16949
Debian Bug     : 908616

Several vulnerabilities were discovered in openafs, an implementation of
the distributed filesystem AFS. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2018-16947

    Jeffrey Altman reported that the backup tape controller (butc)
    process does accept incoming RPCs but does not require (or allow
    for) authentication of those RPCs, allowing an unauthenticated
    attacker to perform volume operations with administrator
    credentials.

    https://openafs.org/pages/security/OPENAFS-SA-2018-001.txt

CVE-2018-16948

    Mark Vitale reported that several RPC server routines do not fully
    initialize output variables, leaking memory contents (from both
    the stack and the heap) to the remote caller for
    otherwise-successful RPCs.

    https://openafs.org/pages/security/OPENAFS-SA-2018-002.txt

CVE-2018-16949

    Mark Vitale reported that an unauthenticated attacker can consume
    large amounts of server memory and network bandwidth via
    specially crafted requests, resulting in denial of service to
    legitimate clients.

    https://openafs.org/pages/security/OPENAFS-SA-2018-003.txt

For the stable distribution (stretch), these problems have been fixed in
version 1.6.20-2+deb9u2.

We recommend that you upgrade your openafs packages.

For the detailed security status of openafs please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/source-package/openafs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Debian: DSA-4302-1: openafs security update

September 23, 2018
Several vulnerabilities were discovered in openafs, an implementation of the distributed filesystem AFS

Summary

CVE-2018-16947

Jeffrey Altman reported that the backup tape controller (butc)
process does accept incoming RPCs but does not require (or allow
for) authentication of those RPCs, allowing an unauthenticated
attacker to perform volume operations with administrator
credentials.

https://openafs.org/pages/security/OPENAFS-SA-2018-001.txt

CVE-2018-16948

Mark Vitale reported that several RPC server routines do not fully
initialize output variables, leaking memory contents (from both
the stack and the heap) to the remote caller for
otherwise-successful RPCs.

https://openafs.org/pages/security/OPENAFS-SA-2018-002.txt

CVE-2018-16949

Mark Vitale reported that an unauthenticated attacker can consume
large amounts of server memory and network bandwidth via
specially crafted requests, resulting in denial of service to
legitimate clients.

https://openafs.org/pages/security/OPENAFS-SA-2018-003.txt

For the stable distribution (stretch), these problems have been fixed in
version 1.6.20-2+deb9u2.

We recommend that you upgrade your openafs packages.

For the detailed security status of openafs please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/source-package/openafs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Severity
Several vulnerabilities were discovered in openafs, an implementation of
the distributed filesystem AFS. The Common Vulnerabilities and Exposures
project identifies the following problems:

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up