Synopsis: Important: OpenAFS security update
Advisory ID: RITM0891205
Issue Date: 2019-10-23
* Fix OPENAFS-SA-2019-001: information leakage in failed RPC output
Generated RPC handler routines ran output variables through XDR encoding
even when the call had failed and would shortly be aborted (and for
which uninitialized output variables is common); any complete packets
assembled in the process would be sent to the peer, leaking the contents
of the uninitialized memory in question.
* Fix OPENAFS-SA-2019-002: information leakage from uninitialized scalars
Generated RPC handler routines did not initialize output variables of
scalar (fixed-length) type, since they did not require dedicated logic to
free. Such variables allocated on the stack could remain uninitialized
in some cases (including those affected by OPENAFS-SA-2019-001), and the
contents of uninitialized memory would be returned to the peer.
– Scientific Linux Development Team