Updated openafs packages fix security vulnerabilies
Publication date: 09 Dec 2014Modification date: 09 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0159 , CVE-2014-2852 , CVE-2014-4044
Description
Updated openafs packages fix security vulnerabilities:
Buffer overflow in the GetStatistics64 remote procedure call (RPC) in OpenAFS
before 1.6.7 allows remote attackers to cause a denial of service (crash) via
a crafted statsVersion argument (CVE-2014-0159).
OpenAFS before 1.6.7 delays the listen thread when an RXS_CheckResponse fails,
which allows remote attackers to cause a denial of service (performance
degradation) via an invalid packet (CVE-2014-2852).
OpenAFS 1.6.8 does not properly clear the fields in the host structure, which
allows remote attackers to cause a denial of service (uninitialized memory
access and crash) via unspecified vectors related to TMAY requests
(CVE-2014-4044).
The OpenAFS package has been updated to version 1.6.10, fixing these issues
and other bugs, as well as providing support for newer kernel versions.
References
- https://bugs.mageia.org/show_bug.cgi?id=13188
- http://www.openafs.org/security/OPENAFS-SA-2014-001.txt
- http://www.openafs.org/security/OPENAFS-SA-2014-002.txt
- http://www.openafs.org/dl/openafs/1.6.7/RELNOTES-1.6.6
- http://www.openafs.org/dl/openafs/1.6.7/RELNOTES-1.6.7
- http://www.openafs.org/dl/openafs/1.6.7/RELNOTES-1.6.8
- http://www.openafs.org/dl/openafs/1.6.9/RELNOTES-1.6.9
- http://www.openafs.org/dl/openafs/1.6.7/RELNOTES-1.6.10
- https://lists.openafs.org/pipermail/openafs-announce/2014/000455.html
- https://lists.openafs.org/pipermail/openafs-announce/2014/000460.html
- https://lists.openafs.org/pipermail/openafs-announce/2014/000467.html
- https://lists.openafs.org/pipermail/openafs-announce/2014/000468.html
- https://lists.openafs.org/pipermail/openafs-announce/2014/000472.html
- https://www.debian.org/security/2014/dsa-2899
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0159
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2852
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4044
SRPMS
4/core
- openafs-1.6.10-1.1.mga4