Bug 1108155 - (CVE-2018-16949) VUL-1: CVE-2018-16949: openafs: large input values and consume server resources waiting for those inputs, denying service to other valid connections
(CVE-2018-16949)
VUL-1: CVE-2018-16949: openafs: large input values and consume server resourc...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Christof Hanke
Security Team bot
https://smash.suse.de/issue/214128/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-12 10:21 UTC by Alexander Bergmann
Modified: 2018-09-14 04:23 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-09-12 10:21:28 UTC
CVE-2018-16949

An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several
data types used as RPC input variables were implemented as unbounded array
types, limited only by the inherent 32-bit length field to 4 GB. An
unauthenticated attacker could send, or claim to send, large input values and
consume server resources waiting for those inputs, denying service to other
valid connections.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16949
http://openafs.org/pages/security/OPENAFS-SA-2018-003.txt
Comment 1 Christof Hanke 2018-09-12 12:24:49 UTC
updated packages in OBS to versions 1.6.23 and 1.8.2.
1.8.2 Needs to be approved for Factory.
Comment 2 Christof Hanke 2018-09-14 04:23:50 UTC
Update accepted to Factory.