Ubuntu
openafs package

DSA-2899-1 openafs -- security update

Bug #1305807 reported by Patrik Lundin
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openafs (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Debian has announced updated packages to handle two issues in the OpenAFS fileserver.
Debian announcement: https://www.debian.org/security/2014/dsa-2899
OpenAFS announcement of the main patch: http://www.openafs.org/security/OPENAFS-SA-2014-001.txt

Note that the Debian update includes an additional patch that is not part of OPENAFS-SA-2014-001.

See original description
Tags: patch

CVE References

Patrik Lundin (patrik-lundin)
description: updated
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

I have attempted to create two debdiffs for this, the only test performed has been running "debuild -i -us -uc -S" and "debuild -i -us -uc -b" which seems to work at least:

Lucid Lynx (from Debian Squeeze): openafs-1.4.12+dfsg-3+ubuntu0.4.patch
Precise Pangolin (from Debian Wheezy): openafs-1.6.1-1+ubuntu0.4.patch

I noticed different patch methods are used for the packages. I was not sure what to call the quilt patch on Precise but decided to name it after the DSA announcement.

Revision history for this message
Patrik Lundin (patrik-lundin) wrote :
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Lucid Lynx (from Debian Squeeze)" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.6.1-1+ubuntu0.4

---------------
openafs (1.6.1-1+ubuntu0.4) precise-security; urgency=low

  * SECURITY UPDATE: Merge security patches from Debian Wheezy:
    - OPENAFS-SA-2014-001: Fix potential buffer overflow in the
      fileserver. (CVE-2014-0159)
    - Fix a potential DoS attack against Rx servers by avoiding suspending
      the listener thread when delaying connection abort messages.
    - Debian patches and above descriptions from <email address hidden>.
    - LP: #1305807
 -- Patrik Lundin <email address hidden> Thu, 10 Apr 2014 17:17:53 +0200

Changed in openafs (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openafs - 1.4.12+dfsg-3+ubuntu0.4

---------------
openafs (1.4.12+dfsg-3+ubuntu0.4) lucid-security; urgency=low

  * SECURITY UPDATE: Merge security patches from Debian Squeeze:
    - OPENAFS-SA-2014-001: Fix potential buffer overflow in the
      fileserver. (CVE-2014-0159)
      src/viced/afsfileprocs.c: Check STATS64_VERSION
    - Fix a potential DoS attack against Rx servers by delaying connection
      aborts instead of responding immediately.
      src/rx/rx.c: add rxi_SendConnectionAbortLater(), callers
    - Debian patches and above descriptions from <email address hidden>.
    - LP: #1305807
 -- Patrik Lundin <email address hidden> Thu, 10 Apr 2014 16:18:43 +0200

Changed in openafs (Ubuntu):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Patrik!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.