Upstream has issued an advisory on October 28: http://openafs.org/pages/security/OPENAFS-SA-2015-007.txt Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated openafs packages fix security vulnerabilities: When constructing an Rx acknowledgment (ACK) packet, Andrew-derived Rx implementations do not initialize three octets of data that are padding in the C language structure and were inadvertently included in the wire protocol (CVE-2015-7762). Additionally, OpenAFS Rx before version 1.6.14 includes a variable-length padding at the end of the ACK packet, in an attempt to detect the path MTU, but only four octets of the additional padding are initialized (CVE-2015-7763). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7763 http://openafs.org/pages/security/OPENAFS-SA-2015-007.txt http://openafs.org/dl/openafs/1.6.14/RELNOTES-1.6.14 http://openafs.org/dl/openafs/1.6.14.1/RELNOTES-1.6.14.1 http://openafs.org/dl/openafs/1.6.15/RELNOTES-1.6.15 https://lists.openafs.org/pipermail/openafs-announce/2015/000493.html ======================== Updated packages in core/updates_testing: ======================== openafs-1.6.15-1.mga5 openafs-client-1.6.15-1.mga5 openafs-server-1.6.15-1.mga5 libopenafs1-1.6.15-1.mga5 libopenafs-devel-1.6.15-1.mga5 libopenafs-static-devel-1.6.15-1.mga5 dkms-libafs-1.6.15-1.mga5 openafs-doc-1.6.15-1.mga5 from openafs-1.6.15-1.mga5.src.rpm Reproducible: Steps to Reproduce:
testing x86_64
CC: (none) => paul.blackburn
x86_64 version tested and working OK. I have made some changes to the OpenAFS wiki page for the introduction of systemctl in this update. ref: https://wiki.mageia.org/en/Installing_OpenAFS_Client
Thanks Paul. Adding the OK.
Whiteboard: (none) => has_procedure mga5-64-ok
Validating. Advisory uploaded (with bad commit msg).
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-okCC: (none) => sysadmin-bugs
Debian has issued an advisory for this on November 1: https://www.debian.org/security/2015/dsa-3387
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0424.html
Status: NEW => RESOLVEDResolution: (none) => FIXED