Advisories » MGASA-2021-0509

Updated openafs packages fix security vulnerability

Publication date: 11 Nov 2021
Modification date: 11 Nov 2021
Type: security
Affected Mageia releases : 8
CVE: CVE-2018-7168

Description

Openafs packages have been updated to 1.9.1 for various bugfixes,
and added a fix for security vulnerability:

There exist in the wild AFS3 clients that improperly construct access
control lists which are then stored to directories via RXAFS_StoreACL
(opcode 134). These clients add negative access control entries (if any)
to the normal rights list. As there is no method by which a fileserver
can determine that the ACL is improperly constructed, the only method
to defend the storage of broken ACLs is to identify clients that are
known to properly construct ACLs by introducing a new RXAFS_StoreACL
opcode (164) (CVE-2018-7168).

Additionally the CellServDB has been updated to latest version and
fixes for suppoorting kernel 5.14 and 5.15 series have been added.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=29639
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7168

SRPMS

8/core

• openafs-1.9.1-1.mga8