OPENAFS-SA-2015-007 "Tattletale"

ACK on the debdiff, thanks!

Update package is building now and will be released when ready. Thanks!

(FYI, I made a couple of minor changes to the debian/changelog file)

This bug was fixed in the package openafs - 1.6.1-1+ubuntu0.7

---------------
openafs (1.6.1-1+ubuntu0.7) precise-security; urgency=low

  * SECURITY UPDATE: Apply OPENAFS-SA-2015-007 "Tattletale" patch
    (LP: #1513461)
    - OPENAFS-SA-2015-007.patch: Rx ACK packets leak plaintext of previous
      packets
    - CVE-2015-7762
    - CVE-2015-7763

 -- Klas Mattsson <email address hidden> Thu, 05 Nov 2015 12:50:39 +0100

Great, thanks!

Here's the same patch but made for trusty and for 1.6.7 instead.

There are other CVEs which are still unfixed in the trusty package. Do you think you could add them also to the debdiff?

http://people.canonical.com/~ubuntu-security/cve/pkg/openafs.html

Thanks!

Hmm, I suppose I could.

All those errors seems to have been fixed in normal patches to openafs in different versions.
Would you prefer if i patched it up ti 1.6.15-1 directly or made a 1.6.7-ubuntu# which will basically be the same as 1.6.15-1?

We usually backport the specific security fixes, rather than whole versions so we don't introduce any other unrelated changes.

Could you simply add the security fixes as was done in precise's 1.6.1-1+ubuntu0.6 and 1.6.1-1+ubuntu0.7 packages?

Sure thing, I'll add a patch as soon as I've had time to make it.

You should note that one of the patches, the one addressing:
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6587.html

Has a couple of issues.
Basically, it removes functionality as an interim fix for the actual patch which is added in 1.6.13.

So, while this patch will remove that security hole, it will also in some cases break functionality.
This issue already exists in 12.04 of course.

To quote the openafs git repo where they reverted back from this fix:

commit fc43236872c798fe426590714d19773c74d4bbbe
Author: Jeffrey Altman <email address hidden>
Date: Mon Aug 3 15:03:00 2015 -0400

    Revert "vlserver: Disable regex volume name processing in ListAttributesN2"

    This change reverts commit 22481ab3705522ac1988b7de038c4dbc1e5009a9 which
    by disabling regex queries of volume names breaks some backup software
    including TSM.

Ok then, here's the patch with all the CVEs addressed.

Fully copied from upstream.

Debdiff in comment #11 looks good, thanks!

Package is building now (with a couple of minor debian/changelog changes) and will be released when built.

Thanks!

This bug was fixed in the package openafs - 1.6.7-1ubuntu1.1

---------------
openafs (1.6.7-1ubuntu1.1) trusty-security; urgency=low

  * SECURITY UPDATES (LP: #1513461):
    - CVE-2015-3282: Clear nvldbentry before sending on the wire
    - CVE-2015-3283: Use crypt for commands where spoofing could be a risk
    - CVE-2015-3284: Clear pioctl data interchange buffer before use
    - CVE-2015-3285: Use correct output buffer for FSCmd pioctl
    - CVE-2015-6587: Disable regex volume name processing in ListAttributesN2
    - CVE-2015-7762: Apply OPENAFS-SA-2015-007 "Tattletale" patch
    - CVE-2015-7763: Apply OPENAFS-SA-2015-007 "Tattletale" patch
    - OPENAFS-SA-2015-007.patch: Rx ACK packets leak plaintext of previous packets

 -- Klas Mattsson <email address hidden> Tue, 10 Nov 2015 08:03:52 +0100

Unsubscribing ubuntu-security-sponsors as there is no further debdiff to process. Please re-subscribe when attaching another one. Thanks!