Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 478282 (CVE-2013-4135)

Summary: <net-fs/openafs-1.6.5: Traffic Encryption Information Disclosure Security Issue (CVE-2013-4135)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: andrej.filipcic, net-fs, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/54184/
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 478296, 478498    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-07-26 19:39:41 UTC
From ${URL} :

Description

A security issue has been reported in OpenAFS, which can be exploited by malicious people to 
disclose certain sensitive information.

The security issue is caused due to an unspecified error when handing the "-encrypt" option passed 
to the "vos" volume management command and can be exploited to disclose the communication contents 
via e.g. MitM (Man-in-the-Middle) attacks.

The security issue is reported in versions prior to 1.6.5 and 1.4.15.


Solution:
Update to version 1.6.5 or 1.4.15.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.openafs.org/pages/security/OPENAFS-SA-2013-004.txt




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett gentoo-dev Security 2013-09-11 05:28:16 UTC
GLSA vote: yes.
Comment 2 Sergey Popov gentoo-dev Security 2013-09-20 09:13:29 UTC
GLSA vote: yes

Added to existing GLSA draft
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-11-12 23:31:29 UTC
CVE-2013-4135 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4135):
  The vos command in OpenAFS 1.6.x before 1.6.5, when using the -encrypt
  option, only enables integrity protection and sends data in cleartext, which
  allows remote attackers to obtain sensitive information by sniffing the
  network.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-04-07 21:53:06 UTC
This issue was resolved and addressed in
 GLSA 201404-05 at http://security.gentoo.org/glsa/glsa-201404-05.xml
by GLSA coordinator Mikle Kolyada (Zlogene).