Summary: | <net-fs/openafs{,-kernel}-1.6.12-r1: Multiple vulnerabilities (CVE-2015-{3282,3283,3284,3285,3286}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Adam Feldman <np-hardass> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bircoph, net-fs, proxy-maint, steve |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | B3 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- |
Description
Adam Feldman
2015-07-30 20:29:10 UTC
Advisories from upstream: http://www.openafs.org/pages/security/OPENAFS-SA-2015-001.txt http://www.openafs.org/pages/security/OPENAFS-SA-2015-002.txt http://www.openafs.org/pages/security/OPENAFS-SA-2015-003.txt http://www.openafs.org/pages/security/OPENAFS-SA-2015-004.txt http://www.openafs.org/pages/security/OPENAFS-SA-2015-005.txt All affected ebuilds have been patched in their -r1s in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=526f3a75301840d7e04e436ca06aaa341b006d2c. CVE-2015-3286 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3286): Buffer overflow in the Solaris kernel extension in OpenAFS before 1.6.13 allows local users to cause a denial of service (panic or deadlock) or possibly have other unspecified impact via a large group list when joining a PAG. CVE-2015-3285 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3285): The pioctl for the OSD FS command in OpenAFS before 1.6.13 uses the wrong pointer when writing the results of the RPC, which allows local users to cause a denial of service (memory corruption and kernel panic) via a crafted OSD FS command. CVE-2015-3284 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3284): pioctls in OpenAFS 1.6.x before 1.6.13 allows local users to read kernel memory via crafted commands. CVE-2015-3283 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3283): OpenAFS before 1.6.13 allows remote attackers to spoof bos commands via unspecified vectors. CVE-2015-3282 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3282): vos in OpenAFS before 1.6.13, when updating VLDB entries, allows remote attackers to obtain stack data by sniffing the network. What version would you like to stabilize? (In reply to Yury German from comment #4) > What version would you like to stabilize? 1.6.14 looks too new, so 1.6.12-r1 seems to be a reasonable choise. 1.6.12-r1 stable for amd64 and x86. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77a9222b64402b1476d0fb86de5979fbba60c78f CC'ing sparc team for STABLEREQ. Sorry about that, mixed up keywording and stabilization in my head. reverted my stabilization of 1.6.12-r1 for amd64 and x86. Arches, please test and mark stable: =net-fs/openafs-1.6.12-r1 =net-fs/openafs-kernel-1.6.12-r1 Target Keywords : "amd64 sparc x86" Thank you! amd64 stable sparc stable x86 stable. Maintainer(s), please cleanup. Security, please vote. GLSA Vote: No GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). All vulnerable versions are removed from the tree. Thank you all. Closing as noglsa. |