OpenAFS: Multiple vulnerabilities — GLSA 201404-05

Multiple vulnerabilities have been found in OpenAFS, worst of which can allow attackers to execute arbitrary code

Affected Packages

net-fs/openafs on all architectures
Affected versions < 1.6.5
Unaffected versions >= 1.6.5

Background

OpenAFS is an client-server program suite for federated file sharing and replicated content distribution.

Description

Multiple vulnerabilities have been discovered in OpenAFS. Please review the CVE identifiers referenced below for details.

Impact

An attacker could potentially execute arbitrary code with the permissions of the user running the AFS server, cause a Denial of Service condition, or gain access to sensitive information. Additionally, an attacker could compromise a cell’s private key, allowing them to impersonate any user in the cell.

Workaround

There is no known workaround at this time.

Resolution

All OpenAFS users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-fs/openafs-1.6.5"
 

References

Release Date
April 07, 2014

Latest Revision
April 07, 2014: 1

Severity
high

Exploitable
local, remote

Bugzilla entries