Package: openafs-client Version: 1.8.12.1-1 Severity: serious Tags: security upstream fixed-upstream patch Control: clone -1 -2 Control: reassign -2 openafs-fileserver
Quoting upstream's release announcement (https://lists.openafs.org/pipermail/openafs-devel/2024-November/020961.html): OPENAFS-SA-2024-001 (CVE-2024-10394) affects cache managers where PAGs are in use; an attacker with access to a multi-user system could retrieve and use credentials from a preexisting PAG they are not authorized to access. OPENAFS-SA-2024-002 (CVE-2024-10396) affects fileservers, with denial of service and potential information disclosure from uninitialized memory access being possible due to improper string handling in processing the RXAFS_StoreACL RPC. Analogous impact to clients is possible due to improper string handling in processing the results of the RXAFS_FetchACL RPC. OPENAFS-SA-2024-003 (CVE-2024-10397) is a buffer overflow affecting certain RPC clients (notably, cache manager and command-line client utilities). Errors and denial of service (crashes) are the most common failure modes, though for this class of memory-safety issue there is some potential that heap manipulation could allow remote code execution.
