{"id":"MGASA-2019-0021","summary":"Updated openafs packages fix security vulnerabilities","details":"Jeffrey Altman reported that the backup tape controller (butc) process\ndoes accept incoming RPCs but does not require (or allow for)\nauthentication of those RPCs, allowing an unauthenticated attacker to\nperform volume operations with administrator credentials\n(CVE-2018-16947).\n\nMark Vitale reported that several RPC server routines do not fully\ninitialize output variables, leaking memory contents (from both the\nstack and the heap) to the remote caller for otherwise-successful RPCs\n(CVE-2018-16948).\n\nMark Vitale reported that an unauthenticated attacker can consume large\namounts of server memory and network bandwidth via specially crafted\nrequests, resulting in denial of service to legitimate clients\n(CVE-2018-16949).\n","modified":"2026-04-16T06:25:47.436540473Z","published":"2019-01-08T21:50:23Z","upstream":["CVE-2018-16947","CVE-2018-16948","CVE-2018-16949"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0021.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23663"},{"type":"WEB","url":"https://openafs.org/pages/security/OPENAFS-SA-2018-001.txt"},{"type":"WEB","url":"https://openafs.org/pages/security/OPENAFS-SA-2018-002.txt"},{"type":"WEB","url":"https://openafs.org/pages/security/OPENAFS-SA-2018-003.txt"},{"type":"WEB","url":"http://openafs.org/dl/openafs/1.6.23/RELNOTES-1.6.23"},{"type":"WEB","url":"https://www.debian.org/security/2018/dsa-4302"}],"affected":[{"package":{"name":"openafs","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/openafs?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.23-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0021.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}