[OpenAFS-devel] Re: CVE-2011-0430 and CVE-2011-0431

[Simon Wilkinson]

On 22 Feb 2011, at 18:53, Andrew Deason wrote:

> On Tue, 22 Feb 2011 13:50:26 -0500
> Jack Neely <jjneely@pams.ncsu.edu> wrote:
>=20
>> Folks,
>>=20
>> I've just come across CVE-2011-0430 and CVE-2011-0431 both against
>> OpenAFS 1.4.14.  Both CVEs site 1.4.14 as affected, but as far as I =
can
>> tell these issues were fixed in the 1.4.14 upstream release.
>>=20
>> Can anyone confirm if those bugs have been corrected in 1.4.14?
>=20
> The CVEs are incorrect; both issues were fixed in 1.4.14. An official
> announcement from openafs.org about these issues will hopefully be
> available soon.

For various reasons (none of them to do with Debian), Debian publicised =
those CVEs, and their corresponding security release, before we were =
ready to publish our advisory. Sadly, we're now left playing catch up.

Even more sadly, the text that Debian registered for those CVEs is, as =
Andrew indicates, incorrect.

CVE-2011-0430 affects only RX servers using rxkad authentication. This =
means fileservers and database servers, but NOT the cache manager. A =
remote attacker may cause such a server to crash. The bug is present =
from 1.2.8 thru 1.4.12.1 and 1.5.0 thru 1.5.74

CVE-2001-0431 is a bug in the Linux cache manager. A local attacker with =
access to the AFS file space may cause the cache manager to oops. This =
bug is present from 1.4.11 thru 1.4.12.1 and 1.5.61 thru 1.5.74. Note =
that it is rare that kernel bugs which causes oopses result in security =
advisories. Left to our own devices, OpenAFS would probably not have =
issued an advisory for this issue.

1.4.14 fixes both of these issues.

Hopefully I'll get the website updated shortly. In the mean time, if you =
would like patches for older versions of OpenAFS, they are available =
using the following git SHA1s:

0430 is fixed by 707a959c96b01506f6d8eacbbf47a872af882626
0431 is fixed by beaf16069ed9a9f3355adfdf5e03b2bb28c21a8a

Cheers,

Simon.