Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Pat Riehecky <riehecky-13hema8v3vg <at> public.gmane.org>
Subject: Security ERRATA Critical: openafs on SL5.x, SL6.x i386/x86_64
Newsgroups: gmane.linux.scientific.errata
Date: Wednesday 24th July 2013 16:43:10 UTC (over 3 years ago)
Synopsis: Critical: openafs on SL5.x, SL6.x i386/x86_64
  Issue date:   2013-07-24
  CVE Numbers:  CVE-2013-4134
                CVE-2013-4135
--

OpenAFS uses Kerberos tickets to secure network traffic. For historical 
reasons, it has only supported the DES encryption algorithm to encrypt
these 
tickets. The weakness of DES's 56 bit key space has long been known,
however 
it has recently become possible to use that weakness to cheaply (around
$100) 
and rapidly (approximately 23 hours) compromise a service's long term key.
An 
attacker must first obtain a ticket for the cell. They may then use a brute

force attack to compromise the cell's private service key. Once an attacker

has gained access to the service key, they can use this to impersonate any 
user within the cell, including the super user, giving them access to all 
administrative capabilities as well as all user data. Recovering the
service 
key from a DES encrypted ticket is an issue for any Kerberos service still 
using DES (and especially so for realms which still have DES keys on their 
ticket granting ticket). (CVE-2013-4134)

The -encrypt option to the 'vos' volume management command should cause it
to 
encrypt all data between client and server. However, in versions of OpenAFS

later than 1.6.0, it has no effect, and data is transmitted with integrity 
protection only. In all versions of OpenAFS, vos -encrypt has no effect
when 
combined with the -localauth option. (CVE-2013-4135)
--

SL5
   x86_64
     kernel-module-openafs-2.6.18-308.20.1.el5-1.4.15-83.sl5.x86_64.rpm
     kernel-module-openafs-2.6.18-308.20.1.el5xen-1.4.15-83.sl5.x86_64.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5-1.4.14-82.sl5.x86_64.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5-1.4.15-83.sl5.x86_64.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.14-82.sl5.x86_64.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.15-83.sl5.x86_64.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5-1.4.14-82.sl5.x86_64.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5-1.4.15-83.sl5.x86_64.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.14-82.sl5.x86_64.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.15-83.sl5.x86_64.rpm
     openafs-1.4.15-83.sl5.x86_64.rpm
     openafs-authlibs-1.4.15-83.sl5.x86_64.rpm
     openafs-authlibs-devel-1.4.15-83.sl5.x86_64.rpm
     openafs-client-1.4.15-83.sl5.x86_64.rpm
     openafs-compat-1.4.15-83.sl5.x86_64.rpm
     openafs-debug-1.4.15-83.sl5.x86_64.rpm
     openafs-devel-1.4.15-83.sl5.x86_64.rpm
     openafs-kernel-source-1.4.15-83.sl5.x86_64.rpm
     openafs-kpasswd-1.4.15-83.sl5.x86_64.rpm
     openafs-krb5-1.4.15-83.sl5.x86_64.rpm
     openafs-server-1.4.15-83.sl5.x86_64.rpm

   i386
     kernel-module-openafs-2.6.18-308.20.1.el5-1.4.15-83.sl5.i686.rpm
     kernel-module-openafs-2.6.18-308.20.1.el5PAE-1.4.15-83.sl5.i686.rpm
     kernel-module-openafs-2.6.18-308.20.1.el5xen-1.4.15-83.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5-1.4.14-82.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5-1.4.15-83.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5PAE-1.4.14-82.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5PAE-1.4.15-83.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.14-82.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.12.1.el5xen-1.4.15-83.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5-1.4.14-82.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5-1.4.15-83.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5PAE-1.4.14-82.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5PAE-1.4.15-83.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.14-82.sl5.i686.rpm
     kernel-module-openafs-2.6.18-348.6.1.el5xen-1.4.15-83.sl5.i686.rpm
     openafs-1.4.15-83.sl5.i386.rpm
     openafs-authlibs-1.4.15-83.sl5.i386.rpm
     openafs-authlibs-devel-1.4.15-83.sl5.i386.rpm
     openafs-client-1.4.15-83.sl5.i386.rpm
     openafs-compat-1.4.15-83.sl5.i386.rpm
     openafs-debug-1.4.15-83.sl5.i386.rpm
     openafs-devel-1.4.15-83.sl5.i386.rpm
     openafs-kernel-source-1.4.15-83.sl5.i386.rpm
     openafs-kpasswd-1.4.15-83.sl5.i386.rpm
     openafs-krb5-1.4.15-83.sl5.i386.rpm
     openafs-server-1.4.15-83.sl5.i386.rpm
   srpm
     openafs-1.4.15-83.sl5.src.rpm
SL6
   x86_64
     kmod-openafs-358-1.6.5-145.sl6.358.x86_64.rpm
     openafs-1.6.5-145.sl6.x86_64.rpm
     openafs-authlibs-1.6.5-145.sl6.x86_64.rpm
     openafs-authlibs-devel-1.6.5-145.sl6.x86_64.rpm
     openafs-client-1.6.5-145.sl6.x86_64.rpm
     openafs-compat-1.6.5-145.sl6.x86_64.rpm
     openafs-devel-1.6.5-145.sl6.x86_64.rpm
     openafs-kernel-source-1.6.5-145.sl6.x86_64.rpm
     openafs-kpasswd-1.6.5-145.sl6.x86_64.rpm
     openafs-krb5-1.6.5-145.sl6.x86_64.rpm
     openafs-module-tools-1.6.5-145.sl6.x86_64.rpm
     openafs-plumbing-tools-1.6.5-145.sl6.x86_64.rpm
     openafs-server-1.6.5-145.sl6.x86_64.rpm
   i386
     kmod-openafs-358-1.6.5-145.sl6.358.i686.rpm
     openafs-1.6.5-145.sl6.i686.rpm
     openafs-authlibs-1.6.5-145.sl6.i686.rpm
     openafs-authlibs-devel-1.6.5-145.sl6.i686.rpm
     openafs-client-1.6.5-145.sl6.i686.rpm
     openafs-compat-1.6.5-145.sl6.i686.rpm
     openafs-devel-1.6.5-145.sl6.i686.rpm
     openafs-kernel-source-1.6.5-145.sl6.i686.rpm
     openafs-kpasswd-1.6.5-145.sl6.i686.rpm
     openafs-krb5-1.6.5-145.sl6.i686.rpm
     openafs-module-tools-1.6.5-145.sl6.i686.rpm
     openafs-plumbing-tools-1.6.5-145.sl6.i686.rpm
     openafs-server-1.6.5-145.sl6.i686.rpm
   srpm
     openafs-1.6.5-145.sl6.src.rpm

- Scientific Linux Development Team
 
CD: 3ms