Bug 1155395 - (CVE-2019-18602) VUL-0: CVE-2019-18602: openafs: information disclosure via uninitialized scalars are sent over the network
(CVE-2019-18602)
VUL-0: CVE-2019-18602: openafs: information disclosure via uninitialized scal...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.1
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Christof Hanke
Security Team bot
https://smash.suse.de/issue/246031/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-30 07:06 UTC by Alexander Bergmann
Modified: 2019-12-09 07:43 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-10-30 07:06:58 UTC
CVE-2019-18602

OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to an information
disclosure vulnerability because uninitialized scalars are sent over the network
to a peer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18602
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18602.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18602
https://openafs.org/pages/security/OPENAFS-SA-2019-002.txt
Comment 1 Christof Hanke 2019-11-11 09:48:07 UTC
Same comment as in #1155396
The upstream security-fixed version is already accepted in openSUSE:Factory.
Somehow I can't figure out how to get that into LEAP 15.1
Normal submission tells me to use the maintenance workflow 
and this one says:

hanke@dijon:/srv/OBS/home:hauky:branches:OBS_Maintained:openafs/openafs.openSUSE_Leap_15.1_Update> osc maintenancerequest  --incident=1155396  openSUSE:Factory openafs openSUSE:Leap:15.1:Update
Using target project 'openSUSE:Maintenance:1155396'
Server returned an error: HTTP Error 404: Not Found
openSUSE:Maintenance:1155396

So, what to do ?
Comment 2 Christof Hanke 2019-12-09 07:43:33 UTC
Maitenance request to upgrade to openafs-1.8.5 for Leap 15.1 accepted
https://build.opensuse.org/request/show/748510