Debian 9 DSA-4302-1 Critical: Openafs Denial Of Service Issues
debian
September 23, 2018
Several vulnerabilities were discovered in openafs, an implementation of the distributed filesystem AFS
Topics Covered
Summary
CVE-2018-16947
Jeffrey Altman reported that the backup tape controller (butc)
process does accept incoming RPCs but does not require (or allow
for) authentication of those RPCs, allowing an unauthenticated
attacker to perform volume operations with administrator
credentials.
https://openafs.org/pages/security/OPENAFS-SA-2018-001.txt
CVE-2018-16948
Mark Vitale reported that several RPC server routines do not fully
initialize output variables, leaking memory contents (from both
the stack and the heap) to the remote caller for
otherwise-successful RPCs.
https://openafs.org/pages/security/OPENAFS-SA-2018-002.txt
CVE-2018-16949
Mark Vitale reported that an unauthenticated attacker can consume
large amounts of server memory and network bandwidth via
specially crafted requests, resulting in denial of service to
legitimate clients.
https://openafs.org/pages/security/OPENAFS-SA-2018-003.txt
For the stable distribution (stretch), these problems hav...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: openafs
CVE ID: CVE-2018-16947 CVE-2018-16948 CVE-2018-16949
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!