Description Some vulnerabilities have been reported in OpenAFS, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to cause a DoS and potentially compromise a vulnerable system. 1) An error within the "afs_linux_lock()" function in src/afs/LINUX/osi_vnodeops.c can be exploited to cause a kernel crash. Note: This only affects Linux systems. 2) A double-free error within the RX server can be exploited to cause a crash and potentially execute arbitrary code by sending specially crafted ASN1 encoded values to the RX server. Solution Update to version 1.4.14. Provided and/or discovered by Reported by the vendor. Original Advisory OpenAFS: http://www.openafs.org/release/latest.html
It's not obvious whether 1.4.14 fixes all of those vulnerabilities. Secunia claims it does, but there are no recent security advisories on http://www.openafs.org/security .
I will request masking and removal of older releases.
we cant remove 1.4.9 until 1.4.14 is stabilized
I suggest to stabilize openafs 1.4.14. It is reported not to have the security vulnerability and it has been in unstable for more than a month with no problems reported.
openafs-1.4.14-r1 and openafs-kernel-1.4.14 are now stable
(In reply to comment #5) > openafs-1.4.14-r1 and openafs-kernel-1.4.14 are now stable Great, thanks. GLSA request filed.
CVE-2011-0430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0430): Double free vulnerability in the Rx server process in OpenAFS 1.4.14, 1.4.12, 1.4.7, and possibly other versions allows remote attackers to cause a denial of service and execute arbitrary code via unknown vectors.
This issue was resolved and addressed in GLSA 201404-05 at http://security.gentoo.org/glsa/glsa-201404-05.xml by GLSA coordinator Mikle Kolyada (Zlogene).