CVE-2016-4536

NameCVE-2016-4536
DescriptionThe client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory information by leveraging access to RPC call traffic.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-493-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openafs (PTS)stretch (security), stretch1.6.20-2+deb9u2fixed
buster1.8.2-1fixed
bullseye1.8.6~pre1-3fixed
sid1.8.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openafssource(unstable)1.6.17-1
openafssourcejessie1.6.9-2+deb8u6
openafssourcewheezy1.6.1-3+deb7u6DLA-493-1

Notes

https://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt
Search for package or bug name: Reporting problems