Bugzilla – Bug 1155394
VUL-0: CVE-2019-18601: openafs: denial of service from unserialized data creating VOTE_Debug RPC calls
Last modified: 2019-12-09 07:43:17 UTC
CVE-2019-18601 OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of service from unserialized data access because remote attackers can make a series of VOTE_Debug RPC calls to crash a database server within the SVOTE_Debug RPC handler. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18601 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18601.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18601 https://openafs.org/pages/security/OPENAFS-SA-2019-003.txt
Same comment as in #1155396 The upstream security-fixed version is already accepted in openSUSE:Factory. Somehow I can't figure out how to get that into LEAP 15.1 Normal submission tells me to use the maintenance workflow and this one says: hanke@dijon:/srv/OBS/home:hauky:branches:OBS_Maintained:openafs/openafs.openSUSE_Leap_15.1_Update> osc maintenancerequest --incident=1155396 openSUSE:Factory openafs openSUSE:Leap:15.1:Update Using target project 'openSUSE:Maintenance:1155396' Server returned an error: HTTP Error 404: Not Found openSUSE:Maintenance:1155396 So, what to do ?
Maitenance request to upgrade to openafs-1.8.5 for Leap 15.1 accepted https://build.opensuse.org/request/show/748510