Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 478282 (CVE-2013-4135) - <net-fs/openafs-1.6.5: Traffic Encryption Information Disclosure Security Issue (CVE-2013-4135)
Summary: <net-fs/openafs-1.6.5: Traffic Encryption Information Disclosure Security Iss...
Status: RESOLVED FIXED
Alias: CVE-2013-4135
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54184/
Whiteboard: B4 [glsa]
Keywords:
Depends on: CVE-2013-4134 478498
Blocks:
  Show dependency tree
 
Reported: 2013-07-26 19:39 UTC by Agostino Sarubbo
Modified: 2014-04-07 21:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-26 19:39:41 UTC
From ${URL} :

Description

A security issue has been reported in OpenAFS, which can be exploited by malicious people to 
disclose certain sensitive information.

The security issue is caused due to an unspecified error when handing the "-encrypt" option passed 
to the "vos" volume management command and can be exploited to disclose the communication contents 
via e.g. MitM (Man-in-the-Middle) attacks.

The security issue is reported in versions prior to 1.6.5 and 1.4.15.


Solution:
Update to version 1.6.5 or 1.4.15.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.openafs.org/pages/security/OPENAFS-SA-2013-004.txt




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett gentoo-dev Security 2013-09-11 05:28:16 UTC
GLSA vote: yes.
Comment 2 Sergey Popov gentoo-dev Security 2013-09-20 09:13:29 UTC
GLSA vote: yes

Added to existing GLSA draft
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-11-12 23:31:29 UTC
CVE-2013-4135 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4135):
  The vos command in OpenAFS 1.6.x before 1.6.5, when using the -encrypt
  option, only enables integrity protection and sends data in cleartext, which
  allows remote attackers to obtain sensitive information by sniffing the
  network.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-04-07 21:53:06 UTC
This issue was resolved and addressed in
 GLSA 201404-05 at http://security.gentoo.org/glsa/glsa-201404-05.xml
by GLSA coordinator Mikle Kolyada (Zlogene).