Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 355533 - <net-fs/openafs-1.4.14: multiple vulnerabilities (CVE-2011-{0430,0431})
Summary: <net-fs/openafs-1.4.14: multiple vulnerabilities (CVE-2011-{0430,0431})
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2011-02-19 09:30 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2014-04-07 21:53 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 09:30:22 UTC
Some vulnerabilities have been reported in OpenAFS, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to cause a DoS and potentially compromise a vulnerable system.

1) An error within the "afs_linux_lock()" function in src/afs/LINUX/osi_vnodeops.c can be exploited to cause a kernel crash.

Note: This only affects Linux systems.

2) A double-free error within the RX server can be exploited to cause a crash and potentially execute arbitrary code by sending specially crafted ASN1 encoded values to the RX server.

Update to version 1.4.14.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 09:32:04 UTC
It's not obvious whether 1.4.14 fixes all of those vulnerabilities. Secunia claims it does, but there are no recent security advisories on .
Comment 2 Andrej Filipcic 2011-02-19 10:08:11 UTC
I will request masking and removal of older releases.
Comment 3 SpanKY gentoo-dev 2011-02-19 17:21:30 UTC
we cant remove 1.4.9 until 1.4.14 is stabilized
Comment 4 Andrej Filipcic 2011-03-02 17:53:33 UTC
I suggest to stabilize openafs 1.4.14. It is reported not to have the security vulnerability and it has been in unstable for more than a month with no problems reported.
Comment 5 SpanKY gentoo-dev 2011-09-18 21:37:11 UTC
openafs-1.4.14-r1 and openafs-kernel-1.4.14 are now stable
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 18:41:52 UTC
(In reply to comment #5)
> openafs-1.4.14-r1 and openafs-kernel-1.4.14 are now stable

Great, thanks. GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 15:17:56 UTC
CVE-2011-0430 (
  Double free vulnerability in the Rx server process in OpenAFS 1.4.14,
  1.4.12, 1.4.7, and possibly other versions allows remote attackers to cause
  a denial of service and execute arbitrary code via unknown vectors.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-04-07 21:53:01 UTC
This issue was resolved and addressed in
 GLSA 201404-05 at
by GLSA coordinator Mikle Kolyada (Zlogene).