Debian DLA-342-1 : openafs security update
Medium Nessus Plugin ID 86920
SynopsisThe remote Debian host is missing a security update.
DescriptionSeveral vulnerabilities have been found and solved in the distributed file system OpenAFS :
vos leaked stack data clear on the wire when updating vldb entries.
OpenAFS allowed remote attackers to spoof bos commands via unspecified vectors.
pioctl wrongly used the pointer related to the RPC, allowing local users to cause a denial of service (memory corruption and kernel panic) via a crafted OSD FS command.
vlserver allowed remote authenticated users to cause a denial of service (out-of-bounds read and crash) via a crafted regular expression in a VL_ListAttributesN2 RPC.
CVE-2015-7762 and CVE-2015-7763 ('Tattletale')
John Stumpo found that Rx ACK packets leaked plaintext of packets previously processed.
For Debian 6 'Squeeze', these problems have been fixed in openafs version 18.104.22.168+dfsg-4+squeeze4.
We recommend that you upgrade your OpenAFS packages.
Learn more about the Debian Long Term Support (LTS) Project and how to apply these updates at: https://wiki.debian.org/LTS/
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpgrade the affected packages.