Debian Bug report logs -
#846922
CVE-2016-9772 - directory information leaks
Reported by: Guido Günther <agx@sigxcpu.org>
Date: Sun, 4 Dec 2016 11:12:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions 1.6.1-3, 1.6.1-2
Fixed in versions 1.6.20-1, 1.6.1-3+deb7u7, openafs/1.6.9-2+deb8u6
Done: Benjamin Kaduk <kaduk@mit.edu>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Benjamin Kaduk <kaduk@mit.edu>:
Bug#846922; Package openafs.
(Sun, 04 Dec 2016 11:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
New Bug report received and forwarded. Copy sent to Benjamin Kaduk <kaduk@mit.edu>.
(Sun, 04 Dec 2016 11:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openafs
Severity: important
Tags: security
Hi,
the following vulnerability was published for openafs.
CVE-2016-9772[0]:
OPENAFS-SA-2016-003 - directory information leaks
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9772
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9772
Please adjust the affected versions in the BTS as needed.
Marked as fixed in versions 1.6.1-3+deb7u7.
Request was from Guido Günther <agx@sigxcpu.org>
to control@bugs.debian.org.
(Sun, 04 Dec 2016 11:15:06 GMT) (full text, mbox, link).
Marked as found in versions 1.6.1-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Dec 2016 12:33:03 GMT) (full text, mbox, link).
Marked as fixed in versions 1.6.20-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Dec 2016 12:33:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Dec 2016 12:33:04 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer.
(Sun, 04 Dec 2016 12:33:05 GMT) (full text, mbox, link).
Marked as found in versions 1.6.1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Dec 2016 12:39:05 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Dec 2016 12:51:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 08:30:06 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 10 Dec 2017 05:48:03 GMT) (full text, mbox, link).
Reply sent
to Benjamin Kaduk <kaduk@mit.edu>:
You have taken responsibility.
(Mon, 25 Dec 2017 10:36:06 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer.
(Mon, 25 Dec 2017 10:36:06 GMT) (full text, mbox, link).
Message #28 received at 846922-close@bugs.debian.org (full text, mbox, reply):
Source: openafs
Source-Version: 1.6.9-2+deb8u6
We believe that the bug you reported is fixed in the latest version of
openafs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 846922@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Kaduk <kaduk@mit.edu> (supplier of updated openafs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 Dec 2017 20:59:25 -0600
Source: openafs
Binary: openafs-client openafs-fuse openafs-kpasswd openafs-fileserver openafs-dbserver openafs-doc openafs-krb5 libkopenafs1 libafsauthent1 libafsrpc1 libopenafs-dev openafs-modules-source openafs-modules-dkms libpam-openafs-kaserver openafs-dbg
Architecture: all source
Version: 1.6.9-2+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Benjamin Kaduk <kaduk@mit.edu>
Changed-By: Benjamin Kaduk <kaduk@mit.edu>
Closes: 846922 883602
Description:
libafsauthent1 - AFS distributed file system runtime library (authentication)
libafsrpc1 - AFS distributed file system runtime library (RPC layer)
libkopenafs1 - AFS distributed file system runtime library (PAGs)
libopenafs-dev - AFS distributed filesystem development libraries
libpam-openafs-kaserver - AFS distributed filesystem kaserver PAM module
openafs-client - AFS distributed filesystem client support
openafs-dbg - AFS distributed filesystem debugging information
openafs-dbserver - AFS distributed filesystem database server
openafs-doc - AFS distributed filesystem documentation
openafs-fileserver - AFS distributed filesystem file server
openafs-fuse - AFS distributed file system experimental FUSE client
openafs-kpasswd - AFS distributed filesystem old password changing
openafs-krb5 - AFS distributed filesystem Kerberos 5 integration
openafs-modules-dkms - AFS distributed filesystem kernel module DKMS source
openafs-modules-source - AFS distributed filesystem kernel module source
Changes:
openafs (1.6.9-2+deb8u6) jessie-security; urgency=high
.
* CVE-2017-17432: remote triggered Rx assertion failure (Closes: #883602)
* CVE-2016-4536: information leakage from OpenAFS clients
* CVE-2016-9772: information leakage from directory objects
(Closes: #846922)
Checksums-Sha1:
41c7a7d8cb06fb646672cfb2d67632989344d975 4143 openafs_1.6.9-2+deb8u6.dsc
72a49524e38166cf066658e409ba59a1799450d8 150668 openafs_1.6.9-2+deb8u6.debian.tar.xz
a8e07c62659d82e63431d7f62a23d2e13453745a 3999800 openafs-doc_1.6.9-2+deb8u6_all.deb
25357f43233fdfc5572b4f605145744279b95c76 1127388 openafs-modules-source_1.6.9-2+deb8u6_all.deb
eff70f54244e72a984c3ced872f029c733487e80 939392 openafs-modules-dkms_1.6.9-2+deb8u6_all.deb
Checksums-Sha256:
e58ff8b49ac7dc4e9a40a56ca4c14d5cf8bbfb728883752001f003602fe4ab60 4143 openafs_1.6.9-2+deb8u6.dsc
ad3909ebacbf1be9b024ad6dc121d908a90793456f72c637475cce16d449e7b3 150668 openafs_1.6.9-2+deb8u6.debian.tar.xz
d15ac8e533cd2de75342d978451d08824c4faea7b54fe7af4ccdcdb5df76cf17 3999800 openafs-doc_1.6.9-2+deb8u6_all.deb
e471efbb7afbcd67e5620435ad50b58e7b06d6631b4d49a3ec46c1cfd00456c0 1127388 openafs-modules-source_1.6.9-2+deb8u6_all.deb
fd423d6597e83793d0d30674d7215157f48351c085f0f5dcfd248020ea619ec7 939392 openafs-modules-dkms_1.6.9-2+deb8u6_all.deb
Files:
e199ecfce35cee2764db272b7645e903 4143 net optional openafs_1.6.9-2+deb8u6.dsc
20243fe114b1f17b15f6c1953d886f61 150668 net optional openafs_1.6.9-2+deb8u6.debian.tar.xz
668854b0cb04e8343a34e9babd332e18 3999800 doc optional openafs-doc_1.6.9-2+deb8u6_all.deb
60896d319c6078df17a9d003eceb3d50 1127388 kernel extra openafs-modules-source_1.6.9-2+deb8u6_all.deb
e62f0f8c2069a98de51fd48d01ce795a 939392 kernel extra openafs-modules-dkms_1.6.9-2+deb8u6_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlos3xpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENZMP/jkZpd3oSLZeapHxBifmvp/ypdnZdc/X
kfDQgBLa2JN6v6tCXwJvb0vnXNxifHOknAqG2KmoXRwVLjQNwrKhYzrEzwkgJTSq
jAwUe0TnNhXyF3VSDvu+iiyNzgwXrIS1BsHrZKun20TqNGlBJwxLkj8vuCcs33bN
h/uZrZ4/mIf+hIRsOgv76bMY6XEqzXE7prfW1v1j9bqdANcrqoCPInF5zw8PP6MG
grf3YmztHSbxmlyl8bpFhY+q79JwO7Kh8K5VTFf1eoqLACj1fEulLgsRr5wJQ4+I
+1IXBeo0vaXxRVwkAuLv+I9h4pEVT85hCB5geuleaZuVGVVcCgPpn/4bngXIYthl
iPc/oemTn5q/Vp4qgLQ7SiCgRGf05FY1G/XH0YIk8rdOe9acV/6lLjdFMKBz5C7H
VQ/uwzWI/Pxc1nTuA94IckF9pBOTlP0e/fjz/Lf74UcP5bDdfJkfzBKZjVqmQYnn
rM2S61aGdxBvcNuX4HHomxs3y0kW7ONheu83gUi3DLnyCNGEliYdqdu350CWU0xI
oV7haKT6MsbCnL30aq1ZjH9nEhpWyEO62KEaKfi0Id8RSoL/6CqhW6fHZQesMHzE
B7TTuvIsWcSPm47tK5ilu89Sbxw4Mfull8LzjXPt4oO2vU/BQSTKTJvEoDH1a194
Gtqz2/RQjR4L
=xgeJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 23 Jan 2018 07:25:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:40:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon