Updated openafs packages fix security vulnerabilities
Publication date: 02 Nov 2015Modification date: 02 Nov 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-7762 , CVE-2015-7763
Description
Updated openafs packages fix security vulnerabilities:
When constructing an Rx acknowledgment (ACK) packet, Andrew-derived Rx
implementations do not initialize three octets of data that are padding
in the C language structure and were inadvertently included in the wire
protocol (CVE-2015-7762).
Additionally, OpenAFS Rx before version 1.6.14 includes a variable-length
padding at the end of the ACK packet, in an attempt to detect the path MTU,
but only four octets of the additional padding are initialized
(CVE-2015-7763).
References
- https://bugs.mageia.org/show_bug.cgi?id=17050
- http://openafs.org/pages/security/OPENAFS-SA-2015-007.txt
- http://openafs.org/dl/openafs/1.6.14/RELNOTES-1.6.14
- http://openafs.org/dl/openafs/1.6.14.1/RELNOTES-1.6.14.1
- http://openafs.org/dl/openafs/1.6.15/RELNOTES-1.6.15
- https://lists.openafs.org/pipermail/openafs-announce/2015/000493.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7762
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7763
SRPMS
5/core
- openafs-1.6.15-1.mga5