From ${URL} : Description A security issue has been reported in OpenAFS, which can be exploited by malicious people to disclose certain sensitive information. The security issue is caused due to an unspecified error when handing the "-encrypt" option passed to the "vos" volume management command and can be exploited to disclose the communication contents via e.g. MitM (Man-in-the-Middle) attacks. The security issue is reported in versions prior to 1.6.5 and 1.4.15. Solution: Update to version 1.6.5 or 1.4.15. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://www.openafs.org/pages/security/OPENAFS-SA-2013-004.txt @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
GLSA vote: yes.
GLSA vote: yes Added to existing GLSA draft
CVE-2013-4135 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4135): The vos command in OpenAFS 1.6.x before 1.6.5, when using the -encrypt option, only enables integrity protection and sends data in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
This issue was resolved and addressed in GLSA 201404-05 at http://security.gentoo.org/glsa/glsa-201404-05.xml by GLSA coordinator Mikle Kolyada (Zlogene).