Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2834 [SECURITY] [DLA 1513-1] openafs security update 24 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openafs Publisher: Debian Operating System: Debian GNU/Linux 8 Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-16949 CVE-2018-16948 CVE-2018-16947 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/09/msg00024.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running openafs check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : openafs Version : 1.6.9-2+deb8u8 CVE ID : CVE-2018-16947 CVE-2018-16948 CVE-2018-16949 Debian Bug : 908616 Several security vulnerabilities were discovered in OpenAFS, a distributed file system. CVE-2018-16947 The backup tape controller process accepts incoming RPCs but does not require (or allow for) authentication of those RPCs. Handling those RPCs results in operations being performed with administrator credentials, including dumping/restoring volume contents and manipulating the backup database. CVE-2018-16948 Several RPC server routines did not fully initialize their output variables before returning, leaking memory contents from both the stack and the heap. Because the OpenAFS cache manager functions as an Rx server for the AFSCB service, clients are also susceptible to information leakage. CVE-2018-16949 Several data types used as RPC input variables were implemented as unbounded array types, limited only by the inherent 32-bit length field to 4GB. An unauthenticated attacker could send, or claim to send, large input values and consume server resources waiting for those inputs, denying service to other valid connections. For Debian 8 "Jessie", these problems have been fixed in version 1.6.9-2+deb8u8. We recommend that you upgrade your openafs packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlulL3JfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSFiQ/+N5zSKU33vo/yZjWbjRWnciclAiybLLkG4eH7ww9j6jpXn4HLAd2wP7pA arKZid6/fjanAXi7qm/juZchCQ5YFTZQYbvykQl+y6RW5o7CUXzZ0nWVum+iwY6C aF08w6ENFcEzMTRps5mYzpaAKQ42uCKZtvNCP7n4ef/DEPAgyhm9RZTI/4paGnXX CcrLsQV3uRtUSMsjR3qRs1UOr2GqAce+0xN5AnGq4+Jf77a4OB7zJ67/hMGh5LoI 6Fv6QEM4M4ulH+3TvDe0EVYrWLgjZXr8ecYK4K7p23giDYDEOIIb1H6bA7ULwFph v2rg6azMCG6fO0FAN63d4ZAPkjUS3qQrnqucF8DRTCMf5C4rJ6g3jXYGt1l3GNGQ zMu0Dj2rnCMPpoEwJiVmbbgr2xbtiGa1VIr0y4Jlm2/6kwgCi9q7pkdp3oLhNdyQ 0QlX/GxivBfRwUgrAWx4VhNPOSYKi3gTk+TKxCr7lFxhVeAd/gq7Kygc8L36+Fpt aSbGYq+x6foFsVkLNRjoW8VSPSPaINQs8I1czMvJbuQz5xgDEGxSFXZCsiyrxMkT Soy7uhE43o528oKLL8h9fcKphA95Dh/VIfmIobIRXmlWcbCrfRBUQhfvjsPppcCi IasV3LbehwoHqzg8v9XTzgmNOBMJoI9EkrO+sNFDq8+x9PqUPaw= =Qwif - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW6ghjWaOgq3Tt24GAQh3Aw/+PuFURk0096HRwboTpI5K6u+gTRCwGMZZ qMY1ZnEqByVwRSKrL0UzLM75k44+Nt+imuE+xg27dkaFPfqYsXKmLxRNoTnFs0ka lOukqy2OW4yVVWTQ5utjA/McVWs5bwUQ95gmtcJwRShQCRRk6d1Oqlmsg9eumL+F XzXPCARPisAev5/8z1sjW05Jdhy/fSzepnxLsd475A6oDY3WcPSTG47YkcjJ17pS cofwR68suRx626ePmHx/gXAONqvw4glINit4OM0E+qa84EpGIVonNwaV7WmlM73G DjOCH9gCxHRNv7GAtfUWkOM4Wkwktj1kVKwGIMy13EEg1uj7XgqYWr2Y5juDG9Fx cSacjJGWM7X3BAmMy0VNOgcaoNBtbpOQOZ0OEX9/GlESc2mqzjZqoPipNNkrOnY1 cB8WqdWrQreAzy4fEBxgbCU6I00riy9qZQ+FewP4zBdiFLtZ/3lqAgkdDJo/P5C3 NGOT7gBZEPto4CjpfXS1NFYUBwXR2CuYCPBjPXOTodsSurSwIgt8U4gSEwLKlWbP wBll0pQJhQDcc9xIE68/GP5Gt8NQTM+AvbU0ftZfjcQfv8r/EVd7Rm4vCHsrc3UE 5Tu860dZPTYy87lW2518HyJ+KK9ET8u2gHkLRkQdMJu5ubrZhx4oKG5nCzzZvcfU RPV1flIplqg= =1Nxe -----END PGP SIGNATURE-----