CVE-2016-4536

NameCVE-2016-4536
DescriptionThe client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory information by leveraging access to RPC call traffic.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-493-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openafs (PTS)bullseye1.8.6-5fixed
bullseye (security)1.8.6-5+deb11u2fixed
bookworm, bookworm (security)1.8.9-1+deb12u1fixed
trixie1.8.13.2-1fixed
sid1.8.14~pre1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openafssourcewheezy1.6.1-3+deb7u6DLA-493-1
openafssourcejessie1.6.9-2+deb8u6
openafssource(unstable)1.6.17-1

Notes

https://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt
Search for package or bug name: Reporting problems