Debian 10241 Published by

An openafs update has been released for Debian 6 LTS



Package : openafs
Version : 1.4.12.1+dfsg-4+squeeze4
CVE ID : CVE-2015-3282 CVE-2015-3283 CVE-2015-3285 CVE-2015-6587
CVE-2015-7762 CVE-2015-7763

Several vulnerabilities have been found and solved in the distributed file
system OpenAFS:

CVE-2015-3282

vos leaked stack data clear on the wire when updating vldb entries.

CVE-2015-3283

OpenAFS allowed remote attackers to spoof bos commands via unspecified
vectors.

CVE-2015-3285

pioctl wrongly used the pointer related to the RPC, allowing local users to
cause a denial of service (memory corruption and kernel panic) via a
crafted OSD FS command.

CVE-2015-6587

vlserver allowed remote authenticated users to cause a denial of service
(out-of-bounds read and crash) via a crafted regular expression in a
VL_ListAttributesN2 RPC.

CVE-2015-7762 and CVE-2015-7763 ("Tattletale")

John Stumpo found that Rx ACK packets leaked plaintext of packets
previously processed.


For Debian 6 "Squeeze", these problems have been fixed in openafs version
1.4.12.1+dfsg-4+squeeze4.

We recommend that you upgrade your OpenAFS packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/