Mageia alert MGASA-2017-0037 (openafs)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2017-0037: Updated openafs packages fix security vulnerability 
Date:
    	     
 
Thu, 2 Feb 2017 20:17:48 +0100
Message-ID:
    	     
 
<20170202191748.76C609F7CC@duvel.mageia.org>
MGASA-2017-0037 - Updated openafs packages fix security vulnerability

Publication date: 02 Feb 2017
URL: http://advisories.mageia.org/MGASA-2017-0037.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-9772

Description:
Due to incomplete initialization or clearing of reused memory, OpenAFS
directory objects are likely to contain "dead" directory entry
information. This extraneous information is not active - that is, it is
logically invisible to the fileserver and client. However, the leaked
information is physically visible on the fileserver vice partition, on
the wire in FetchData replies and other RPCs, and on the client cache
partition. This constitutes a leak of directory information
(CVE-2016-9772).

The openafs package has been updated to version 1.6.20, to fix this
issue and other bugs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=19879
- https://www.openafs.org/pages/security/OPENAFS-SA-2016-00...
- http://openafs.org/dl/openafs/1.6.18.1/RELNOTES-1.6.18.1
- http://openafs.org/dl/openafs/1.6.18.2/RELNOTES-1.6.18.2
- http://openafs.org/dl/openafs/1.6.18.3/RELNOTES-1.6.18.3
- https://dl.openafs.org/dl/1.6.19/RELNOTES-1.6.19
- https://dl.openafs.org/dl/1.6.20/RELNOTES-1.6.20
- http://openwall.com/lists/oss-security/2016/12/02/9
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9772

SRPMS:
- 5/core/openafs-1.6.20-1.mga5