MDVSA-2009:099-1

Package name

openafs

Date

2009-12-08

Advisory ID

MDVSA-2009:099-1

Affected versions

2008.0 i586 , 2008.0 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in openafs:

The cache manager in the client in OpenAFS 1.0 through 1.4.8 and
1.5.0 through 1.5.58 on Linux allows remote attackers to cause a
denial of service (system crash) via an RX response with a large
error-code value that is interpreted as a pointer and dereferenced,
related to use of the ERR_PTR macro (CVE-2009-1250).

Heap-based buffer overflow in the cache manager in the client in
OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58 on Unix platforms
allows remote attackers to cause a denial of service (system crash)
or possibly execute arbitrary code via an RX response containing
more data than specified in a request, related to use of XDR arrays
(CVE-2009-1251).

The updated packages have been patched to correct these issues.

Update:

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

Updated packages

2008.0 i586

 7b1982e29d59fa48973516226ef5ba38  2008.0/i586/dkms-libafs-1.4.4-8.3mdv2008.0.i586.rpm
 302f3e4ef80a7a312d5a95f7a7bee7fb  2008.0/i586/libopenafs1-1.4.4-8.3mdv2008.0.i586.rpm
 840e913861ed14fef8e5eccc7e65c13a  2008.0/i586/libopenafs1-devel-1.4.4-8.3mdv2008.0.i586.rpm
 0fe92b704d5956205abf1a412c3084ce  2008.0/i586/openafs-1.4.4-8.3mdv2008.0.i586.rpm
 eab2d124df726a795fdc0a926f96a097  2008.0/i586/openafs-client-1.4.4-8.3mdv2008.0.i586.rpm
 651a5ea7af39e8089ce778dc91d8bbd6  2008.0/i586/openafs-doc-1.4.4-8.3mdv2008.0.i586.rpm
 a0cab0f7b039f0769a90f1c731257659  2008.0/i586/openafs-server-1.4.4-8.3mdv2008.0.i586.rpm 
 32880b76d44f126c2d5c06366a47d48d  2008.0/SRPMS/openafs-1.4.4-8.3mdv2008.0.src.rpm

2008.0 x86_64

 2f62764a76389c4cd7af690fa6f3f570  2008.0/x86_64/dkms-libafs-1.4.4-8.3mdv2008.0.x86_64.rpm
 8714e19c9e2af64f4c32187e96679c68  2008.0/x86_64/lib64openafs1-1.4.4-8.3mdv2008.0.x86_64.rpm
 9140e1c3ef876fb9b445f818122c07ab  2008.0/x86_64/lib64openafs1-devel-1.4.4-8.3mdv2008.0.x86_64.rpm
 c8b22c0e5b789f5a435237437e5e9aa5  2008.0/x86_64/openafs-1.4.4-8.3mdv2008.0.x86_64.rpm
 dd5199fb52dba4dbe8793c9991997b69  2008.0/x86_64/openafs-client-1.4.4-8.3mdv2008.0.x86_64.rpm
 3d4ba9a602631ecfd4b2fa866e11d3fe  2008.0/x86_64/openafs-doc-1.4.4-8.3mdv2008.0.x86_64.rpm
 9fe0892bec50d481644be493c51ef971  2008.0/x86_64/openafs-server-1.4.4-8.3mdv2008.0.x86_64.rpm 
 32880b76d44f126c2d5c06366a47d48d  2008.0/SRPMS/openafs-1.4.4-8.3mdv2008.0.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1251
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1250