Your message dated Tue, 12 Nov 2024 22:35:12 +0000
with message-id <[email protected]>
and subject line Bug#1087406: fixed in openafs 1.8.13-1
has caused the Debian Bug report #1087406,
regarding OpenAFS security releases
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1087406: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087406
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openafs-client
Version: 1.8.12.1-1
Severity: serious
Tags: security upstream fixed-upstream patch
Control: clone -1 -2
Control: reassign -2 openafs-fileserver
Quoting upstream's release announcement
(https://lists.openafs.org/pipermail/openafs-devel/2024-November/020961.html):
OPENAFS-SA-2024-001 (CVE-2024-10394) affects cache managers where PAGs are
in use; an attacker with access to a multi-user system could retrieve and
use credentials from a preexisting PAG they are not authorized to access.
OPENAFS-SA-2024-002 (CVE-2024-10396) affects fileservers, with denial of
service and potential information disclosure from uninitialized memory
access being possible due to improper string handling in processing the
RXAFS_StoreACL RPC. Analogous impact to clients is possible due to
improper string handling in processing the results of the RXAFS_FetchACL
RPC.
OPENAFS-SA-2024-003 (CVE-2024-10397) is a buffer overflow affecting certain
RPC clients (notably, cache manager and command-line client utilities).
Errors and denial of service (crashes) are the most common failure modes,
though for this class of memory-safety issue there is some potential that
heap manipulation could allow remote code execution.
--- End Message ---
--- Begin Message ---
Source: openafs
Source-Version: 1.8.13-1
Done: Benjamin Kaduk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openafs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Kaduk <[email protected]> (supplier of updated openafs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Nov 2024 13:58:26 -0800
Source: openafs
Architecture: source
Version: 1.8.13-1
Distribution: unstable
Urgency: high
Maintainer: Benjamin Kaduk <[email protected]>
Changed-By: Benjamin Kaduk <[email protected]>
Closes: 1087406 1087407
Changes:
openafs (1.8.13-1) unstable; urgency=high
.
* New upstream security release:
- Fix OPENAFS-SA-2024-001: theft of credentials from Unix PAGs
(CVE-2024-10394)
- Fix OPENAFS-SA-2024-002: fileserver crash on malformed StoreACL
(CVE-2024-10396)
- Fix OPENAFS-SA-2024-003: buffer overflows in XDR responses
(CVE-2024-10397)
- Closes: #1087406, #1087407
Checksums-Sha1:
d7aeece6dd36d8b1499ad600112f21e68c064552 3650 openafs_1.8.13-1.dsc
1c03578cc50d62f212176853c9d1f1f99afbb8cf 6769268 openafs_1.8.13.orig.tar.xz
b4a5efbf0dbf7b8c40227d79402bd5af1ecccab7 140632 openafs_1.8.13-1.debian.tar.xz
ff25d50a68544bee2fd7df83e8ecfddcac6e27f5 17744 openafs_1.8.13-1_amd64.buildinfo
Checksums-Sha256:
a164cd732a236c090589c18846236bdc7b54e76187543e2810b70df5dbed34d4 3650
openafs_1.8.13-1.dsc
038f686aa122734651f3fe7358b7797c40fca6850016fd5ba4d22d532cb6ca3c 6769268
openafs_1.8.13.orig.tar.xz
1d85b0f37a679261e99b3b84b4471af37f7e844f3b47f35c2b62afb8a8b54a8d 140632
openafs_1.8.13-1.debian.tar.xz
f200f94c474a84b7b553bd4b323f98c2fd8e6c552a1c3a5772deeaf1b1b3e4f3 17744
openafs_1.8.13-1_amd64.buildinfo
Files:
f1ed1164346749fedaa0aa5b84822edc 3650 net optional openafs_1.8.13-1.dsc
241f8c67043a1b9d1238b508d80dd84c 6769268 net optional
openafs_1.8.13.orig.tar.xz
a85077b3ac6fe8953ebce0a98fddf796 140632 net optional
openafs_1.8.13-1.debian.tar.xz
e61202c3d28b262cb5d762f77703fb42 17744 net optional
openafs_1.8.13-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHGBAEBCgAsFiEE2WGV4E2ARf9BYP0XKNmm82TrdRIFAmcz0xEOHGthZHVrQG1p
dC5lZHUACgkQKNmm82TrdRKn0wwgy+Q3D7B2i28YM4yJCIn8EHx3XkzhXBVXkpde
nWpHrsZrIw/BHULUzOsePClkokrwUf1GO1z9XINhFqk53pWUyqTNevQJ2TT80qtc
bklnzXzamT61JshqeWcG+/EcuOIxTOJ4KE8grI5W1GEpBVHAitZd/vr35In3cKl8
1ntgG77qa85XX7yulU6XceDdByxd5Ww2WQjYTK/qszRt50eC/Q62ODA3vysO23cv
LUncZt3GKlnPbGndV0q0bLJjjHRmjMtaJ5QHwfE0t01Jts1b75vn4o9ffby/aAU6
xtLnb4Wee1p/53Zdf3lHdKrVhqqZ/heUVh67vMLpakjNB+0zPN+gWrrjXSEiZz87
261qwXWcBDIh2z57S1MJCa7zH4Qeb/C4DEzQHmtLSOJX7/pCR1t3qAiVnvqpUQLT
WubFzqczi0HSuCoTWKxT4P3A4sqNwqNJSay1qXoKgYlgyT8GZ+YSGI2q9GQ29LBu
Sj4J781EJ/wJTsrE6sUjBPhhjfnc3HO2tQ==
=/4DF
-----END PGP SIGNATURE-----
pgp4Utp3H_I61.pgp
Description: PGP signature
--- End Message ---
