CVE-2013-4135

Published: 5 November 2013

The vos command in OpenAFS 1.6.x before 1.6.5, when using the -encrypt option, only enables integrity protection and sends data in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.

Priority

Status

Package	Release	Status
openafs Launchpad, Ubuntu, Debian	lucid	Released (1.4.12+dfsg-3+ubuntu0.3)
	precise	Released (1.6.1-1+ubuntu0.2)
	quantal	Released (1.6.1-2+ubuntu2.1)
	raring	Released (1.6.2-1+ubuntu2.1)
	upstream	Released (1.6.5)

References

http://www.openwall.com/lists/oss-security/2013/07/25/1
http://www.openafs.org/pages/security/OPENAFS-SA-2013-003.txt
https://www.cve.org/CVERecord?id=CVE-2013-4135
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/1204195

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›