CVE-2014-2852 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2852): OpenAFS before 1.6.7 delays the listen thread when an RXS_CheckResponse fails, which allows remote attackers to cause a denial of service (performance degradation) via an invalid packet.
Created attachment 394742 [details, diff] openafs-cve-2014-2852.patch Upstream has a patch for this: http://openafs.org/pages/security/openafs-sa-2014-001.patch. I've tested: 1.6.5 compiles with it successfully.
whoops, sorry about that, I posted in wrong bug report. I meant to post in 507420.
Correct upstream patch: Correct upstream patch: http://git.openafs.org/?p=openafs.git;a=commit;h=19c4d6023c8f616de0d194e560e64576e5986f70 however it does not apply correctly and will require some work to get it working on 1.6.5.
Fixed version 1.6.11 is in tree. Old unstable versions are removed.
Arch teams, please stabilize =net-fs/openafs-1.6.11.
stabilization done in bug 536272
All vulnerable versions are removed from tree.
Vote: NO.
GLSA Vote: No