[OpenAFS-devel] Re: CVE-2011-0430 and CVE-2011-0431

Thomas Calderon calderon.thomas@gmail.com
Mon, 7 Mar 2011 23:48:19 +0100 

--90e6ba6e8c94c45d92049dec4a0b
Content-Type: text/plain; charset=UTF-8

Hi there,

I see that Debian packages have been patched to correct the two CVE
(1.4.12.1+dfsg-4).

I'd like to know if ubuntu packages could receive the same love !

Thank you.

Thomas.

On Tue, Feb 22, 2011 at 10:59 PM, Simon Wilkinson <sxw@inf.ed.ac.uk> wrote:

>
> On 22 Feb 2011, at 18:53, Andrew Deason wrote:
>
> > On Tue, 22 Feb 2011 13:50:26 -0500
> > Jack Neely <jjneely@pams.ncsu.edu> wrote:
> >
> >> Folks,
> >>
> >> I've just come across CVE-2011-0430 and CVE-2011-0431 both against
> >> OpenAFS 1.4.14.  Both CVEs site 1.4.14 as affected, but as far as I can
> >> tell these issues were fixed in the 1.4.14 upstream release.
> >>
> >> Can anyone confirm if those bugs have been corrected in 1.4.14?
> >
> > The CVEs are incorrect; both issues were fixed in 1.4.14. An official
> > announcement from openafs.org about these issues will hopefully be
> > available soon.
>
> For various reasons (none of them to do with Debian), Debian publicised
> those CVEs, and their corresponding security release, before we were ready
> to publish our advisory. Sadly, we're now left playing catch up.
>
> Even more sadly, the text that Debian registered for those CVEs is, as
> Andrew indicates, incorrect.
>
> CVE-2011-0430 affects only RX servers using rxkad authentication. This
> means fileservers and database servers, but NOT the cache manager. A remote
> attacker may cause such a server to crash. The bug is present from 1.2.8
> thru 1.4.12.1 and 1.5.0 thru 1.5.74
>
> CVE-2001-0431 is a bug in the Linux cache manager. A local attacker with
> access to the AFS file space may cause the cache manager to oops. This bug
> is present from 1.4.11 thru 1.4.12.1 and 1.5.61 thru 1.5.74. Note that it is
> rare that kernel bugs which causes oopses result in security advisories.
> Left to our own devices, OpenAFS would probably not have issued an advisory
> for this issue.
>
> 1.4.14 fixes both of these issues.
>
> Hopefully I'll get the website updated shortly. In the mean time, if you
> would like patches for older versions of OpenAFS, they are available using
> the following git SHA1s:
>
> 0430 is fixed by 707a959c96b01506f6d8eacbbf47a872af882626
> 0431 is fixed by beaf16069ed9a9f3355adfdf5e03b2bb28c21a8a
>
> Cheers,
>
> Simon.
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>

--90e6ba6e8c94c45d92049dec4a0b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi there,<br><br>I see that Debian packages have been patched to correct th=
e two CVE (1.4.12.1+dfsg-4).<br><br>I&#39;d like to know if ubuntu packages=
 could receive the same love !<br><br>Thank you.<br><br>Thomas.<br><br><div=
 class=3D"gmail_quote">
On Tue, Feb 22, 2011 at 10:59 PM, Simon Wilkinson <span dir=3D"ltr">&lt;<a =
href=3D"mailto:sxw@inf.ed.ac.uk">sxw@inf.ed.ac.uk</a>&gt;</span> wrote:<br>=
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class=3D"im"><br>
On 22 Feb 2011, at 18:53, Andrew Deason wrote:<br>
<br>
&gt; On Tue, 22 Feb 2011 13:50:26 -0500<br>
&gt; Jack Neely &lt;<a href=3D"mailto:jjneely@pams.ncsu.edu">jjneely@pams.n=
csu.edu</a>&gt; wrote:<br>
&gt;<br>
&gt;&gt; Folks,<br>
&gt;&gt;<br>
&gt;&gt; I&#39;ve just come across CVE-2011-0430 and CVE-2011-0431 both aga=
inst<br>
&gt;&gt; OpenAFS 1.4.14. =C2=A0Both CVEs site 1.4.14 as affected, but as fa=
r as I can<br>
&gt;&gt; tell these issues were fixed in the 1.4.14 upstream release.<br>
&gt;&gt;<br>
&gt;&gt; Can anyone confirm if those bugs have been corrected in 1.4.14?<br=
>
&gt;<br>
&gt; The CVEs are incorrect; both issues were fixed in 1.4.14. An official<=
br>
&gt; announcement from <a href=3D"http://openafs.org" target=3D"_blank">ope=
nafs.org</a> about these issues will hopefully be<br>
&gt; available soon.<br>
<br>
</div>For various reasons (none of them to do with Debian), Debian publicis=
ed those CVEs, and their corresponding security release, before we were rea=
dy to publish our advisory. Sadly, we&#39;re now left playing catch up.<br>

<br>
Even more sadly, the text that Debian registered for those CVEs is, as Andr=
ew indicates, incorrect.<br>
<br>
CVE-2011-0430 affects only RX servers using rxkad authentication. This mean=
s fileservers and database servers, but NOT the cache manager. A remote att=
acker may cause such a server to crash. The bug is present from 1.2.8 thru =
1.4.12.1 and 1.5.0 thru 1.5.74<br>

<br>
CVE-2001-0431 is a bug in the Linux cache manager. A local attacker with ac=
cess to the AFS file space may cause the cache manager to oops. This bug is=
 present from 1.4.11 thru 1.4.12.1 and 1.5.61 thru 1.5.74. Note that it is =
rare that kernel bugs which causes oopses result in security advisories. Le=
ft to our own devices, OpenAFS would probably not have issued an advisory f=
or this issue.<br>

<br>
1.4.14 fixes both of these issues.<br>
<br>
Hopefully I&#39;ll get the website updated shortly. In the mean time, if yo=
u would like patches for older versions of OpenAFS, they are available usin=
g the following git SHA1s:<br>
<br>
0430 is fixed by 707a959c96b01506f6d8eacbbf47a872af882626<br>
0431 is fixed by beaf16069ed9a9f3355adfdf5e03b2bb28c21a8a<br>
<br>
Cheers,<br>
<font color=3D"#888888"><br>
Simon.<br>
</font><div><div></div><div class=3D"h5"><br>
_______________________________________________<br>
OpenAFS-devel mailing list<br>
<a href=3D"mailto:OpenAFS-devel@openafs.org">OpenAFS-devel@openafs.org</a><=
br>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-devel" target=
=3D"_blank">https://lists.openafs.org/mailman/listinfo/openafs-devel</a><br=
>
</div></div></blockquote></div><br>

--90e6ba6e8c94c45d92049dec4a0b--