VulnerableCode Package Details - pkg:deb/ubuntu/openafs@1.8.2-1ubuntu0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-7exr-hbp5-aaam Aliases: CVE-2018-16947	An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. The backup tape controller (butc) process accepts incoming RPCs but does not require (or allow for) authentication of those RPCs. Handling those RPCs results in operations being performed with administrator credentials, including dumping/restoring volume contents and manipulating the backup database. For example, an unauthenticated attacker can replace any volume's content with arbitrary data.	1.8.4~pre1-1ubuntu2 Affected by 0 other vulnerabilities.
VCID-spuv-5rhp-aaab Aliases: CVE-2018-16949	An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several data types used as RPC input variables were implemented as unbounded array types, limited only by the inherent 32-bit length field to 4 GB. An unauthenticated attacker could send, or claim to send, large input values and consume server resources waiting for those inputs, denying service to other valid connections.	1.8.4~pre1-1ubuntu2 Affected by 0 other vulnerabilities.
VCID-srn2-af6s-aaaa Aliases: CVE-2018-16948	An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several RPC server routines did not fully initialize their output variables before returning, leaking memory contents from both the stack and the heap. Because the OpenAFS cache manager functions as an Rx server for the AFSCB service, clients are also susceptible to information leakage. For example, RXAFSCB_TellMeAboutYourself leaks kernel memory and KAM_ListEntry leaks kaserver memory.	1.8.4~pre1-1ubuntu2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7exr-hbp5-aaam
Aliases:
CVE-2018-16947

An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. The backup tape controller (butc) process accepts incoming RPCs but does not require (or allow for) authentication of those RPCs. Handling those RPCs results in operations being performed with administrator credentials, including dumping/restoring volume contents and manipulating the backup database. For example, an unauthenticated attacker can replace any volume's content with arbitrary data.

1.8.4~pre1-1ubuntu2
Affected by 0 other vulnerabilities.

VCID-spuv-5rhp-aaab
Aliases:
CVE-2018-16949

An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several data types used as RPC input variables were implemented as unbounded array types, limited only by the inherent 32-bit length field to 4 GB. An unauthenticated attacker could send, or claim to send, large input values and consume server resources waiting for those inputs, denying service to other valid connections.

1.8.4~pre1-1ubuntu2
Affected by 0 other vulnerabilities.

VCID-srn2-af6s-aaaa
Aliases:
CVE-2018-16948

An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several RPC server routines did not fully initialize their output variables before returning, leaking memory contents from both the stack and the heap. Because the OpenAFS cache manager functions as an Rx server for the AFSCB service, clients are also susceptible to information leakage. For example, RXAFSCB_TellMeAboutYourself leaks kernel memory and KAM_ListEntry leaks kaserver memory.

1.8.4~pre1-1ubuntu2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Next non-vulnerable version	1.8.4~pre1-1ubuntu2
Latest non-vulnerable version	1.8.4~pre1-1ubuntu2
Risk	4.4