[Bug 356861] Re: OpenAFS Security Advisories 2009-001 and 2009-002

Anders Kaseorg andersk at mit.edu
Tue Apr 7 23:18:43 BST 2009 

Changelog from 1.4.8.dfsg1-3 to 1.4.9.dfsg1-0+ubuntu1:

 openafs (1.4.9.dfsg1-0+ubuntu1) jaunty; urgency=low
 .
   * New upstream release.
     - Fix OPENAFS-SA-2009-001 - Network based buffer overflow attack
       against Unix cache manager.  (LP: #356861)
     - Fix OPENAFS-SA-2009-002 - Denial of service attack against Linux
       cache manager.  (LP: #356861)

Changelog from 1.4.8.dfsg1-3 to 1.4.10+dfsg1-1:

 openafs (1.4.10+dfsg1-1) unstable; urgency=high
 .
   * New upstream release.
     - OPENAFS-SA-2009-001: Avoid a potential kernel memory overrun if more
       items than requested are returned from an InlineBulk or BulkStatus
       message.  (CVE-2009-1251)
     - OPENAFS-SA-2009-002: Avoid converting negative errors into invalid
       kernel memory pointers.  (CVE-2009-1250)
     - Preliminary support for 2.6.30 kernels.
     - Dynamic vcache allocation support to deal with inotify vcache
       pinning.
     - Do appropriate locking for CellServDB in /proc.
     - Use +dfsg instead of .dfsg for saner version sorting.
   * Debian's 2.6.29 packages no longer include symlinks from the
     architecture-specific header tree to the common header tree and
     instead overlay both header trees using kbuild.  Change the Autoconf
     probes to always use kbuild and generate stub headers in the paths
     that OpenAFS expects that include the linux headers.  Patch from Aaron
     M. Ucko.  (Closes: #521745)
   * Build PIC versions of libafsauthent and libafsrpc and install them in
     libopenafs-dev for use when AFS code should be embedded into shared
     libraries.  Patch from Garrett Wollman.
   * Update CellServDB to 2008-11-07 version.  (Closes: #522451)
   * Update debian/watch for +dfsg naming instead of .dfsg.
   * Update standards version to 3.8.1 (no changes required).
   * Translation updates:
     - Japanese, thanks Hideki Yamane.  (Closes: #521518)


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1250

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1251

-- 
OpenAFS Security Advisories 2009-001 and 2009-002
https://bugs.launchpad.net/bugs/356861
You received this bug notification because you are a member of Ubuntu
Sponsors for universe, which is a direct subscriber.

More information about the Ubuntu-universe-sponsors mailing list