Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[gentoo-announce] GLSA: OpenAFS
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
klieber
Bodhisattva
Bodhisattva


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Thu Aug 15, 2002 3:33 pm    Post subject: [gentoo-announce] GLSA: OpenAFS Reply with quote

Daniel Ahlberg wrote:
GENTOO LINUX SECURITY ANNOUNCEMENT
- - - -------------------------------------------------------------------=
-

PACKAGE :openafs
SUMMARY :remote root
DATE :2002-08-03 23:26 UTC

- - - -------------------------------------------------------------------=
-

OVERVIEW

A remote user may be able to gain root access to an OpenAFS database
server or fileserver host. In addition, certain administrative clients
may be attacked if they make requests to a rogue server.

DETAIL

There is an integer overflow bug in the SUNRPC-derived RPC library
used by OpenAFS that could be exploited to crash certain OpenAFS
servers (volserver, vlserver, ptserver, buserver) or to obtain
unauthorized root access to a host running one of these processes.

In addition, it is possible for a rogue server to attack certain
administrative clients (vos, pts, backup, butc, rxstat), but only
if certain RPC requests are made to the rogue server.

The OpenAFS fileserver and cache manager (client) are not vulnerable
to these attacks. No exploits are presently known to be available
for this vulnerability.

The full advisory may be found here:
http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt

SOLUTION

This security issue was fixed in ebuild version 1.2.5-r1 uploaded to
portage on Fri Aug 2 22:47:20 2002 UTC. The OpenAFS team has released
OpenAFS 1.2.6 to fix this security issue.

It is recommended that all Gentoo Linux users who has OpenAFS installed
update their systems as follows.

emerge rsync
emerge openafs
emerge clean

- - - -------------------------------------------------------------------=

Daniel Ahlberg
aliz@gentoo.org
- - - -------------------------------------------------------------------=

Mailing List Archive:http://lists.gentoo.org/pipermail/gentoo-announce/2002-August/000190.html

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum