1) CVE-2019-18601 Description: "OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of service from unserialized data access because remote attackers can make a series of VOTE_Debug RPC calls to crash a database server within the SVOTE_Debug RPC handler." Advisory: https://openafs.org/pages/security/OPENAFS-SA-2019-003.txt 2) CVE-2019-18602 Description: "OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to an information disclosure vulnerability because uninitialized scalars are sent over the network to a peer." Advisory: https://openafs.org/pages/security/OPENAFS-SA-2019-002.txt 3) CVE-2019-18603 Description: "OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to information leakage upon certain error conditions because uninitialized RPC output variables are sent over the network to a peer." Advisory: https://openafs.org/pages/security/OPENAFS-SA-2019-001.txt
@maintainer(s), please create an appropriate ebuild
@maintainer(s), please bump this
ping
This may be last-rited if there is no response. Please tell us what your plans are.
(In reply to Sam James from comment #4) > This may be last-rited if there is no response. Please tell us what your > plans are. It's on my list, but OpenAFS updates are quite time consuming so I can't give you a time estimate. Patches are welcome. I will update 1.8.x branch only.
(In reply to Andrew Savchenko from comment #5) > (In reply to Sam James from comment #4) > > This may be last-rited if there is no response. Please tell us what your > > plans are. > > It's on my list, but OpenAFS updates are quite time consuming so I can't > give you a time estimate. Patches are welcome. I will update 1.8.x branch > only. This might help: https://bugs.gentoo.org/736160#c2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9e3fbc9f8f1990ab161537c1e0ce3658489f20d commit d9e3fbc9f8f1990ab161537c1e0ce3658489f20d Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2020-09-13 09:40:58 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2020-09-13 09:47:49 +0000 net-fs/openafs: update to 1.8.6 - Version bump to 1.8.6, this fixes many bugs, - including CVE-2019-1860{1..3}. - Update to the latest upstream stable 1_8_x branch, which fixes more bugs and bring kernel 5.9 support. - Migrate to tmpfiles eclass. - Fix build with USE=tsm. - Fix systemd unit files, thanks Adrian <adrian@planetcoding.net> for suggestion. - Fix doxygen dep. Bug: https://bugs.gentoo.org/719136 Closes: https://bugs.gentoo.org/680944 Closes: https://bugs.gentoo.org/686488 Closes: https://bugs.gentoo.org/706738 Closes: https://bugs.gentoo.org/736160 Closes: https://bugs.gentoo.org/740630 Package-Manager: Portage-3.0.6, Repoman-3.0.1 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> net-fs/openafs/Manifest | 3 + net-fs/openafs/openafs-1.8.6.ebuild | 343 ++++++++++++++++++++++++++++++++++++ 2 files changed, 346 insertions(+)
Tell us when ready to stable.
Sanity check failed: > net-fs/openafs-1.8.6 > depend amd64 stable profile default/linux/amd64/17.0 (28 total) > app-backup/tsm > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > app-backup/tsm > rdepend amd64 stable profile default/linux/amd64/17.0 (28 total) > app-backup/tsm > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > app-backup/tsm
Ready?
(In reply to Sam James from comment #10) > Ready? Yes. Please note that app-backup/tsm needs to be stable only on amd64: amd64? ( tsm? ( app-backup/tsm ) )
(In reply to Andrew Savchenko from comment #11) > (In reply to Sam James from comment #10) > > Ready? > > Yes. Please note that app-backup/tsm needs to be stable only on amd64: > > amd64? ( tsm? ( app-backup/tsm ) ) Right - although Nattka didn't end up expanding it anyway.
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #14) > Maintainer(s), please cleanup. Simple cleanup is not possible here, since openafs-1.6.* removal implies openafs-kernel removal from the tree. While all its functionality is preserved within single unified openafs package (via USE="modules"), technically this is still a package removal and the last-rite procedure. So I'm going to mask (< openafs-1.8) and openafs-kernel, last-rite openafs-kernel and at least 30 days later finally remove it. Security team, are you OK with this plan or should I follow some other procedure taking into account security implications?
(In reply to Andrew Savchenko from comment #15) > (In reply to Agostino Sarubbo from comment #14) > > Maintainer(s), please cleanup. > > Simple cleanup is not possible here, since openafs-1.6.* removal implies > openafs-kernel removal from the tree. While all its functionality is > preserved within single unified openafs package (via USE="modules"), > technically this is still a package removal and the last-rite procedure. So > I'm going to mask (< openafs-1.8) and openafs-kernel, last-rite > openafs-kernel and at least 30 days later finally remove it. > > Security team, are you OK with this plan or should I follow some other > procedure taking into account security implications? Hey, that's fine with us. Just tag the bug / comment here as you go along, so it's easy to see what the current status us. Thank you for checking!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77fc8845e127ea2f5f2e5ffa7cfb50ff4e17729b commit 77fc8845e127ea2f5f2e5ffa7cfb50ff4e17729b Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2020-10-11 18:59:29 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2020-10-11 19:07:02 +0000 profiles/packages.mask: mask net-fs/openafs-kernel and revdep for removal Use net-fs/openafs-1.8.*[modules] instead. Bug: https://bugs.gentoo.org/719136 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> profiles/package.mask | 9 +++++++++ 1 file changed, 9 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07628bb2188c4ce09f32bd8263987a107b794ce5 commit 07628bb2188c4ce09f32bd8263987a107b794ce5 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2020-11-29 18:55:26 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2020-11-29 19:14:12 +0000 net-fs/openafs-kernel: remove last rited and vulnerable package All functionality is peserved within net-fs/openafs[modules]. Bug: https://bugs.gentoo.org/719136 Closes: https://bugs.gentoo.org/703506 Closes: https://bugs.gentoo.org/707928 Closes: https://bugs.gentoo.org/724920 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> net-fs/openafs-kernel/Manifest | 3 - net-fs/openafs-kernel/metadata.xml | 11 -- .../openafs-kernel-1.6.22.1-r1.ebuild | 134 --------------------- .../openafs-kernel-1.6.22.2-r1.ebuild | 134 --------------------- 4 files changed, 282 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c13a871446d8632c473fc7eed27fd33862895e54 commit c13a871446d8632c473fc7eed27fd33862895e54 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2020-11-29 18:47:00 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2020-11-29 19:14:07 +0000 net-fs/openafs: remove old versions Bug: https://bugs.gentoo.org/719136 Closes: https://bugs.gentoo.org/642542 Package-Manager: Portage-3.0.10, Repoman-3.0.2 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> net-fs/openafs/Manifest | 5 - net-fs/openafs/openafs-1.6.22.1.ebuild | 222 --------------------------------- net-fs/openafs/openafs-1.6.22.2.ebuild | 222 --------------------------------- 3 files changed, 449 deletions(-)
GLSA Vote: No Repository is clean, all done!