Debian Bug report logs -
#908616
OpenAFS security release
Reported by: Benjamin Kaduk <kaduk@mit.edu>
Date: Tue, 11 Sep 2018 19:39:01 UTC
Severity: serious
Tags: security
Found in versions openafs/1.6.9-1, openafs/1.6.9-2+deb8u7
Fixed in versions openafs/1.8.2-1, openafs/1.6.20-2+deb9u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org:
Bug#908616; Package src:openafs.
(Tue, 11 Sep 2018 19:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@mit.edu>:
New Bug report received and forwarded.
(Tue, 11 Sep 2018 19:39:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openafs
Version: 1.6.9-2+deb8u7
Tags: security
Severity: serious
OpenAFS upstream released security releases 1.6.23 and 1.8.2 today, fixing:
http://openafs.org/pages/security/OPENAFS-SA-2018-001.txt
http://openafs.org/pages/security/OPENAFS-SA-2018-002.txt
http://openafs.org/pages/security/OPENAFS-SA-2018-003.txt
No CVEs have been assigned yet.
-Ben
Marked as found in versions openafs/1.6.9-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 11 Sep 2018 19:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Benjamin Kaduk <kaduk@mit.edu>:
Bug#908616; Package src:openafs.
(Tue, 11 Sep 2018 20:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Benjamin Kaduk <kaduk@mit.edu>.
(Tue, 11 Sep 2018 20:06:02 GMT) (full text, mbox, link).
Message #12 received at 908616@bugs.debian.org (full text, mbox, reply):
Hey!
On Tue, Sep 11, 2018 at 02:30:51PM -0500, Benjamin Kaduk wrote:
> Source: openafs
> Version: 1.6.9-2+deb8u7
> Tags: security
> Severity: serious
>
> OpenAFS upstream released security releases 1.6.23 and 1.8.2 today, fixing:
> http://openafs.org/pages/security/OPENAFS-SA-2018-001.txt
> http://openafs.org/pages/security/OPENAFS-SA-2018-002.txt
> http://openafs.org/pages/security/OPENAFS-SA-2018-003.txt
>
> No CVEs have been assigned yet.
Would it be possible, that you with both your maintainers and upstream
part could request accordingly CVEs via http://cveform.mitre.org/ (and
then loop back the assignment here once got those).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#908616; Package src:openafs.
(Wed, 12 Sep 2018 02:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@mit.edu>:
Extra info received and forwarded to list.
(Wed, 12 Sep 2018 02:09:08 GMT) (full text, mbox, link).
Message #17 received at 908616@bugs.debian.org (full text, mbox, reply):
On Tue, Sep 11, 2018 at 10:02:20PM +0200, Salvatore Bonaccorso wrote:
> Hey!
>
> On Tue, Sep 11, 2018 at 02:30:51PM -0500, Benjamin Kaduk wrote:
> > Source: openafs
> > Version: 1.6.9-2+deb8u7
> > Tags: security
> > Severity: serious
> >
> > OpenAFS upstream released security releases 1.6.23 and 1.8.2 today, fixing:
> > http://openafs.org/pages/security/OPENAFS-SA-2018-001.txt
> > http://openafs.org/pages/security/OPENAFS-SA-2018-002.txt
> > http://openafs.org/pages/security/OPENAFS-SA-2018-003.txt
> >
> > No CVEs have been assigned yet.
>
> Would it be possible, that you with both your maintainers and upstream
> part could request accordingly CVEs via http://cveform.mitre.org/ (and
> then loop back the assignment here once got those).
OPENAFS-SA-2018-001 is CVE-2018-16947.
OPENAFS-SA-2018-002 is CVE-2018-16948.
OPENAFS-SA-2018-003 is CVE-2018-16949.
-Ben
Reply sent
to Anders Kaseorg <andersk@mit.edu>:
You have taken responsibility.
(Wed, 12 Sep 2018 08:45:27 GMT) (full text, mbox, link).
Notification sent
to Benjamin Kaduk <kaduk@mit.edu>:
Bug acknowledged by developer.
(Wed, 12 Sep 2018 08:45:27 GMT) (full text, mbox, link).
Message #22 received at 908616-close@bugs.debian.org (full text, mbox, reply):
Source: openafs
Source-Version: 1.8.2-1
We believe that the bug you reported is fixed in the latest version of
openafs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 908616@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anders Kaseorg <andersk@mit.edu> (supplier of updated openafs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Sep 2018 22:53:43 -0700
Source: openafs
Binary: openafs-client openafs-fuse openafs-fileserver openafs-dbserver openafs-doc openafs-krb5 libkopenafs2 libafsauthent2 libafsrpc2 libopenafs-dev openafs-modules-source openafs-modules-dkms
Architecture: source
Version: 1.8.2-1
Distribution: unstable
Urgency: high
Maintainer: Benjamin Kaduk <kaduk@mit.edu>
Changed-By: Anders Kaseorg <andersk@mit.edu>
Description:
libafsauthent2 - AFS distributed file system runtime library (authentication)
libafsrpc2 - AFS distributed file system runtime library (RPC layer)
libkopenafs2 - AFS distributed file system runtime library (PAGs)
libopenafs-dev - AFS distributed filesystem development libraries
openafs-client - AFS distributed filesystem client support
openafs-dbserver - AFS distributed filesystem database server
openafs-doc - AFS distributed filesystem documentation
openafs-fileserver - AFS distributed filesystem file server
openafs-fuse - AFS distributed file system experimental FUSE client
openafs-krb5 - AFS distributed filesystem Kerberos 5 integration
openafs-modules-dkms - AFS distributed filesystem kernel module DKMS source
openafs-modules-source - AFS distributed filesystem kernel module source
Closes: 908616
Changes:
openafs (1.8.2-1) unstable; urgency=high
.
* New upstream release 1.8.1.1:
- Support Linux 4.18.
* New upstream security release 1.8.2 (Closes: #908616):
- Fix OPENAFS-SA-2018-001: unauthenticated volume operations via butc
(CVE-2018-16947).
- Fix OPENAFS-SA-2018-002: information leakage in RPC output variables
(CVE-2018-16948).
- Fix OPENAFS-SA-2018-003: denial of service due to excess resource
consumption (CVE-2018-16949).
Checksums-Sha1:
13493550588c28a6ea084bef287a264aed246893 3455 openafs_1.8.2-1.dsc
1a9372ce6fde9af18b2a77c7d45a40a2e801b9e5 6742532 openafs_1.8.2.orig.tar.xz
ea7cbf795f7454eccf659bb1efc46e40537d4e75 138436 openafs_1.8.2-1.debian.tar.xz
5fdfb8386f2765ddf38199f695086faf8211b286 8852 openafs_1.8.2-1_source.buildinfo
Checksums-Sha256:
3e886cf1c1158d399c579497f97e0134b45c41977ed464a2b18e129b65519292 3455 openafs_1.8.2-1.dsc
e1a464152ccb05f75fe9be577a40177c1f7a7ffb2a56c53fa4e8a349b1983d1f 6742532 openafs_1.8.2.orig.tar.xz
2e32b25494c99c396a252749e6b28a83ca34173b99c2df80d9122bd6f569c134 138436 openafs_1.8.2-1.debian.tar.xz
825d75c108daf83491ee8394d4e70c3ca93f7667816a435044b4c49f625eeae6 8852 openafs_1.8.2-1_source.buildinfo
Files:
2bf2a0dbec31d6bf5dc46be1218f2439 3455 net optional openafs_1.8.2-1.dsc
28940368b1572eba2dcd40109b77ac9e 6742532 net optional openafs_1.8.2.orig.tar.xz
d27b75728f5a2740e27d0df2f147eeb2 138436 net optional openafs_1.8.2-1.debian.tar.xz
09bcf6e16a89defd4e50b28b44318aac 8852 net optional openafs_1.8.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEajxn1/ARkAzFOSSL3/OrN08W9zoFAluYwaUACgkQ3/OrN08W
9zqYZQwAhhDoPVOR4JmYSZr5C3OygFjf2+paKdlqCv0hGj/WPX9kvGElR+JMfnFN
9ROlxf+t6iY5ejpgrGRy+zxKgBioA25GxJ7JZH0fV5grEQuWVifhvFU4jNF9abph
ewAXtkYVGx4W+KRR6m5WBEtmQ0/k22zgnLCGY691P+gPfmY/p0j9EM2+SiGRtGQG
xrcCr25e3dF7OM4vvFfUPpvu49CNGQMH5vRAHncuExISVjsL6yQ3jUu08Z9odxaF
9vxXizwh9uG2lSBENkE76VHZZFMv3Az1/DK5y6rdN3z9pBwqAOj8zMUxcOyFH9CR
oZMD67zR18fgZUc2bZ4MIrtGz1QCI+3VSDVJUTLdts9+3QivBOKPSvLJa6m3ASQZ
Ch+2PdHozWuqJTKWJKZGZiJvxZZKQO+fOish9DdEiVZT5FxEIOdPStcCxVmd0lkK
fJDjpj/sWOcgonw4X9lSONfN/zXxQPTLsP/eSqvWBbUYoz//d1dXkPyg85K0BXFL
UwfDb2S8
=XDz+
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 02 Oct 2018 06:09:07 GMT) (full text, mbox, link).
Notification sent
to Benjamin Kaduk <kaduk@mit.edu>:
Bug acknowledged by developer.
(Tue, 02 Oct 2018 06:09:08 GMT) (full text, mbox, link).
Message #27 received at 908616-close@bugs.debian.org (full text, mbox, reply):
Source: openafs
Source-Version: 1.6.20-2+deb9u2
We believe that the bug you reported is fixed in the latest version of
openafs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 908616@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated openafs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Sep 2018 21:06:09 +0200
Source: openafs
Binary: openafs-client openafs-fuse openafs-kpasswd openafs-fileserver openafs-dbserver openafs-doc openafs-krb5 libkopenafs1 libafsauthent1 libafsrpc1 libopenafs-dev openafs-modules-source openafs-modules-dkms libpam-openafs-kaserver
Architecture: source
Version: 1.6.20-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Benjamin Kaduk <kaduk@mit.edu>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 908616
Description:
libafsauthent1 - AFS distributed file system runtime library (authentication)
libafsrpc1 - AFS distributed file system runtime library (RPC layer)
libkopenafs1 - AFS distributed file system runtime library (PAGs)
libopenafs-dev - AFS distributed filesystem development libraries
libpam-openafs-kaserver - AFS distributed filesystem kaserver PAM module
openafs-client - AFS distributed filesystem client support
openafs-dbserver - AFS distributed filesystem database server
openafs-doc - AFS distributed filesystem documentation
openafs-fileserver - AFS distributed filesystem file server
openafs-fuse - AFS distributed file system experimental FUSE client
openafs-kpasswd - AFS distributed filesystem old password changing
openafs-krb5 - AFS distributed filesystem Kerberos 5 integration
openafs-modules-dkms - AFS distributed filesystem kernel module DKMS source
openafs-modules-source - AFS distributed filesystem kernel module source
Changes:
openafs (1.6.20-2+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Volume-level data replacement via unauthenticated butc connections
(CVE-2018-16947) (Closes: #908616)
* Information leakage from uninitialized RPC output variables
(CVE-2018-16948) (Closes: #908616)
* Denial of service due to excess resource consumption (CVE-2018-16949)
(Closes: #908616)
Checksums-Sha1:
72ddecd763724698e91bea1db332c7dde4c823dd 4049 openafs_1.6.20-2+deb9u2.dsc
440f93287c5eb88649532504a26b8d0fbea716ee 153260 openafs_1.6.20-2+deb9u2.debian.tar.xz
Checksums-Sha256:
9a5ddfecce5a6b2c5b7f849baa3d7cd634c6f4389b27cafb52106e533fbece44 4049 openafs_1.6.20-2+deb9u2.dsc
e43e6c8d589493de136a319731d425c51a01b981ca5ed44e9f36073d2e5a8b9a 153260 openafs_1.6.20-2+deb9u2.debian.tar.xz
Files:
c6e04c222acdece498c2bfb48c37509d 4049 net optional openafs_1.6.20-2+deb9u2.dsc
70b9b174205490105ffab0940ec2ad66 153260 net optional openafs_1.6.20-2+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlulSfVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E6S8P+QFT9YEKDwuKQ6AuIWVdUwbAonA9t5uo
UwXOYYw9mGk4A0E/DzHyGYOQwyGt/s8ufBy09qfIz+oiTH/yRzuebnJgwqAqveQK
vtBUcm4hXsikMrMrt6bAHEtNjXVgGRafeBswB6EXu2ZChS8M89vEYLKGS/uWlATk
S9FMhUkq7wiUSbDbhCalFJ3rKFHgU72G70CHHEK9hEU9ORsu0WscUhetdrT3MEHu
hAjAb3ADtPXQpxBsLTaM0WoTQmQOExLX8KuWpuvwa6RfUKhLvJ2bJUeYrt846m7B
h47NKNSZmEqwXE2thHOLTvVIUeuMR4O/34gQRJs9IGQMP91OOWZP3wvs/Fo3BBs6
/e7PVpqBaxKVtEv54M0hTnoE4ZBf7Zkzq7XxdB04VHqHo8AagKljzpO/5ud9r6Au
Q6LNz0jMNVBdMlTmXAE0birItCZbXuDiJD5KZsGAe+0/6BDLhVVvDCIB0f56SZvF
roGJfKvZZ8jPm4GvK4IdhXX0r1IRS8nG6NBqJb+B315tF4ntLmgCpFtKEFIh0Nf5
Igi0OAvMie28g7jMJgQohuhRKaYIA9nTAn0uYSTOAPaOYlt6i+yAW8gfptsm0IVq
/irDrwmk7vkpnbVJjbxYwIKUrujdJpHxQeUm0J3RRw131iP4pWlzzWHfcmsuBK/i
2RFn8Nh8KmcL
=okna
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Nov 2018 07:27:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:02:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon