Your message dated Sat, 11 Jan 2025 14:51:47 +0000
with message-id <e1twcq3-004uja...@fasolo.debian.org>
and subject line Bug#1087407: fixed in openafs 1.8.9-1+deb12u1
has caused the Debian Bug report #1087407,
regarding OpenAFS security releases
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1087407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087407
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openafs-client
Version: 1.8.12.1-1
Severity: serious
Tags: security upstream fixed-upstream patch
Control: clone -1 -2
Control: reassign -2 openafs-fileserver
Quoting upstream's release announcement
(https://lists.openafs.org/pipermail/openafs-devel/2024-November/020961.html):
OPENAFS-SA-2024-001 (CVE-2024-10394) affects cache managers where PAGs are
in use; an attacker with access to a multi-user system could retrieve and
use credentials from a preexisting PAG they are not authorized to access.
OPENAFS-SA-2024-002 (CVE-2024-10396) affects fileservers, with denial of
service and potential information disclosure from uninitialized memory
access being possible due to improper string handling in processing the
RXAFS_StoreACL RPC. Analogous impact to clients is possible due to
improper string handling in processing the results of the RXAFS_FetchACL
RPC.
OPENAFS-SA-2024-003 (CVE-2024-10397) is a buffer overflow affecting certain
RPC clients (notably, cache manager and command-line client utilities).
Errors and denial of service (crashes) are the most common failure modes,
though for this class of memory-safety issue there is some potential that
heap manipulation could allow remote code execution.
--- End Message ---
--- Begin Message ---
Source: openafs
Source-Version: 1.8.9-1+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
openafs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1087...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated openafs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 25 Dec 2024 21:19:02 +0100
Source: openafs
Architecture: source
Version: 1.8.9-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Benjamin Kaduk <ka...@mit.edu>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1087406 1087407
Changes:
openafs (1.8.9-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* afs: Properly type afs_osi_suser cred arg
* Theft of credentials in Unix client PAGs (CVE-2024-10394)
(Closes: #1087406, #1087407)
* Fileserver crash and possible information leak on StoreACL/FetchACL
(CVE-2024-10396) (Closes: #1087406, #1087407)
* Preallocated buffer overflows in XDR responses (CVE-2024-10397)
(Closes: #1087406, #1087407)
Checksums-Sha1:
68dfccb2fd0858033620dc4717d90c695bcfe752 3940 openafs_1.8.9-1+deb12u1.dsc
3f28bcc81cc5b9ef9965834315a151210af71704 6747280 openafs_1.8.9.orig.tar.xz
3483d1b494cce12a44664f3d1029652d6f1087c4 167372
openafs_1.8.9-1+deb12u1.debian.tar.xz
Checksums-Sha256:
7bc29d364031e12cf3c998fc74ab976f5672633d4e20354a1ab96a75b9d12638 3940
openafs_1.8.9-1+deb12u1.dsc
ec57e048e647c8e65d079f0363ce451b7a1ee578ce707f2df1f9a1e2e9f0fa5f 6747280
openafs_1.8.9.orig.tar.xz
e110ec333768063bdb922d1b96e6ceadacd6149c75f44b42bdc063d7354f8930 167372
openafs_1.8.9-1+deb12u1.debian.tar.xz
Files:
65ff20aaa209609da08204ea93626d3c 3940 net optional openafs_1.8.9-1+deb12u1.dsc
6ab6eb8a47dd0df6a55863036be73b34 6747280 net optional openafs_1.8.9.orig.tar.xz
ada07afdaf5de9270db0dc7f127e08d3 167372 net optional
openafs_1.8.9-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmdtXrpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EB1UP/2Dj77OwrI42V7SCvwkxRQlQI0xaDw+7
7/tC8oa891zjUZfm2TsD8UXvQ8bjZBD/lNrpP9n6vGdq3Am7jpG6O+K0+yg0g+Kg
YBxSaGRkzRXIz3niOG1ojZpgTAZ60rsLNMr+tOyIdvtC2IoCPEDY4Manqp35c9tc
LrcmE+idojF3HJJ3A0TCvk6Z9seTdyxYqRQp/abTndksBrk4URoi9P9e9/Y8w4Sr
Irw88GDyV7DWMLmXx1fknrHjExEKg4PxpCzc20sPw7pTFs2nPsmzQ8Oyc6uNg5+s
12ygQX5QphofzkhUKgLjbj7s+XRwpOPFPeNNJ4BhfHvLEEIHY3tgio1absKPg9SR
pBpbKyfb72DbYlO9VxuFFJyxQmTYr467YWzJpT61XMirTs/4iwlLXJPciPpweG8A
GsXiiM3ZsKE28qV1hDgPMuRM76XP43+dmsT+qXPqkAE6By3Y3TsdSd5shaAxshMt
rQIZZxqlCeUOwLPXzJ0dNaKmTn2AWFrRM9aA5C/SoUBFnUWvc2NaBiuh8wb5ZB/c
KDUSPmQjZ3Sw7zKDgetCmHI/uYjs5K5fgy9hWkYd2xZC9Dh3gTAKRMMM4/cHrygZ
bxLM7EwFN4xEZ+z05uodib6S+QDnXevyVfTUcQUql7V6kKP4AB9jBFHfMgS2xeEw
jDXbcH+bABOG
=rl96
-----END PGP SIGNATURE-----
pgpIrmGhVE7f3.pgp
Description: PGP signature
--- End Message ---
