Synopsis: Moderate: openafs security and enhancement update
Advisory ID: OPENAFS-SA-2016-003
Issue Date: 2016-12-14
—
Security Fix(es):
There are three different kinds of “dead” residual directory entry
leaks, each with a different cause:
1. There may be partial name data after the null terminator in a live
directory entry. This happens when a previously used directory entry
becomes free, then is reused for a directory entry with a shorter name.
2. “Dead” directory entries are left uncleared after an object is
deleted or renamed.
3. Residual directory entries may be inadvertently picked up when a new
directory is created or an existing directory is extended by a 2kiB
page.
This happens because the fileserver shares a buffer pool for
directories of all AFS users, but does not clear each buffer upon
reuse. This is the most severe problem because the leaked information
may be from other directories or volumes for which the AFS user is not
authorized.
SL5 packages feature a backported patch to the vulnerable code.
Enhancement(s):
* OpenAFS on SL6 and SL7 has been rebased to 1.6.20
—
SL5
x86_64
kernel-module-openafs-2.6.18-416.el5-1.4.15-90.sl5.x86_64.rpm
kernel-module-openafs-2.6.18-416.el5xen-1.4.15-90.sl5.x86_64.rpm
openafs-1.4.15-90.sl5.x86_64.rpm
openafs-authlibs-1.4.15-90.sl5.x86_64.rpm
openafs-authlibs-devel-1.4.15-90.sl5.x86_64.rpm
openafs-client-1.4.15-90.sl5.x86_64.rpm
openafs-compat-1.4.15-90.sl5.x86_64.rpm
openafs-debug-1.4.15-90.sl5.x86_64.rpm
openafs-devel-1.4.15-90.sl5.x86_64.rpm
openafs-kernel-source-1.4.15-90.sl5.x86_64.rpm
openafs-kpasswd-1.4.15-90.sl5.x86_64.rpm
openafs-krb5-1.4.15-90.sl5.x86_64.rpm
openafs-server-1.4.15-90.sl5.x86_64.rpm
i386
kernel-module-openafs-2.6.18-416.el5-1.4.15-90.sl5.i686.rpm
kernel-module-openafs-2.6.18-416.el5PAE-1.4.15-90.sl5.i686.rpm
kernel-module-openafs-2.6.18-416.el5xen-1.4.15-90.sl5.i686.rpm
openafs-1.4.15-90.sl5.i386.rpm
openafs-authlibs-1.4.15-90.sl5.i386.rpm
openafs-authlibs-devel-1.4.15-90.sl5.i386.rpm
openafs-client-1.4.15-90.sl5.i386.rpm
openafs-compat-1.4.15-90.sl5.i386.rpm
openafs-debug-1.4.15-90.sl5.i386.rpm
openafs-devel-1.4.15-90.sl5.i386.rpm
openafs-kernel-source-1.4.15-90.sl5.i386.rpm
openafs-kpasswd-1.4.15-90.sl5.i386.rpm
openafs-krb5-1.4.15-90.sl5.i386.rpm
openafs-server-1.4.15-90.sl5.i386.rpm
SL6
x86_64
kmod-openafs-642-1.6.20-256.sl6.642.6.2.x86_64.rpm
openafs-1.6.20-256.sl6.x86_64.rpm
openafs-authlibs-1.6.20-256.sl6.x86_64.rpm
openafs-authlibs-devel-1.6.20-256.sl6.x86_64.rpm
openafs-client-1.6.20-256.sl6.x86_64.rpm
openafs-compat-1.6.20-256.sl6.x86_64.rpm
openafs-devel-1.6.20-256.sl6.x86_64.rpm
openafs-kernel-source-1.6.20-256.sl6.x86_64.rpm
openafs-kpasswd-1.6.20-256.sl6.x86_64.rpm
openafs-krb5-1.6.20-256.sl6.x86_64.rpm
openafs-module-tools-1.6.20-256.sl6.x86_64.rpm
openafs-plumbing-tools-1.6.20-256.sl6.x86_64.rpm
openafs-server-1.6.20-256.sl6.x86_64.rpm
i386
kmod-openafs-642-1.6.20-256.sl6.642.6.2.i686.rpm
openafs-1.6.20-256.sl6.i686.rpm
openafs-authlibs-1.6.20-256.sl6.i686.rpm
openafs-authlibs-devel-1.6.20-256.sl6.i686.rpm
openafs-client-1.6.20-256.sl6.i686.rpm
openafs-compat-1.6.20-256.sl6.i686.rpm
openafs-devel-1.6.20-256.sl6.i686.rpm
openafs-kernel-source-1.6.20-256.sl6.i686.rpm
openafs-kpasswd-1.6.20-256.sl6.i686.rpm
openafs-krb5-1.6.20-256.sl6.i686.rpm
openafs-module-tools-1.6.20-256.sl6.i686.rpm
openafs-plumbing-tools-1.6.20-256.sl6.i686.rpm
openafs-server-1.6.20-256.sl6.i686.rpm
SL7
x86_64
kmod-openafs-1.6-sl-514-1.6.20-256.7.514.x86_64.rpm
openafs-1.6-sl-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-authlibs-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-authlibs-devel-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-client-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-compat-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-devel-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-kernel-source-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-kpasswd-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-krb5-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-module-tools-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-plumbing-tools-1.6.20-256.7.x86_64.rpm
openafs-1.6-sl-server-1.6.20-256.7.x86_64.rpm
– Scientific Linux Development Team
