Bug 536272 (CVE-2014-4044)

Summary:	<net-fs/openafs-1.6.11: DoS vulnerability (CVE-2014-4044)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	andrej.filipcic, bircoph, net-fs, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	544158
Bug Blocks:

Description GLSAMaker/CVETool Bot gentoo-dev

2015-01-11 00:59:40 UTC

CVE-2014-4044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4044):
  OpenAFS 1.6.8 does not properly clear the fields in the host structure,
  which allows remote attackers to cause a denial of service (uninitialized
  memory access and crash) via unspecified vectors related to TMAY requests.

Comment 1 Adam Feldman gentoo-dev

2015-01-24 02:10:56 UTC

Upstream patch: http://openafs.org/pages/security/openafs-sa-2013-004.patch

We currently don't have a 1.6.8 in the tree, but when I get some time, I'll see if I can test it for patch-application and compilation.

Comment 2 Andrew Savchenko gentoo-dev

2015-03-22 21:51:15 UTC

Fixed version 1.6.11 is in tree. Old unstable versions are removed.

Comment 3 Andrew Savchenko gentoo-dev

2015-03-22 22:01:40 UTC

Arch teams, please stabilize =net-fs/openafs-1.6.11.

Comment 4 Agostino Sarubbo gentoo-dev

2015-03-24 08:51:48 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2015-03-24 08:52:45 UTC

x86 stable

Comment 6 Agostino Sarubbo gentoo-dev

2015-03-24 08:58:17 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Andrew Savchenko gentoo-dev

2015-03-25 02:41:19 UTC

All vulnerable versions are removed from tree.

Comment 8 Yury German Gentoo Infrastructure

2015-04-22 20:41:21 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-05-11 16:27:18 UTC

GLSA Vote: No