CVE-2016-9772

NameCVE-2016-9772
DescriptionOpenAFS 1.6.19 and earlier allows remote attackers to obtain sensitive directory information via vectors involving the (1) client cache partition, (2) fileserver vice partition, or (3) certain RPC responses.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-733-1
NVD severitymedium (attack range: remote)
Debian Bugs846922

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openafs (PTS)jessie1.6.9-2+deb8u7fixed
jessie (security)1.6.9-2+deb8u8fixed
stretch (security), stretch1.6.20-2+deb9u2fixed
buster, sid1.8.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openafssource(unstable)1.6.20-1medium846922
openafssourcejessie1.6.9-2+deb8u6medium
openafssourcewheezy1.6.1-3+deb7u7mediumDLA-733-1

Notes

https://www.openafs.org/pages/security/OPENAFS-SA-2016-003.txt
Upstream patch: https://www.openafs.org/pages/security/openafs-sa-2016-003-master.patch (master)
Upstream patch: https://www.openafs.org/pages/security/openafs-sa-2016-003.patch
http://www.openwall.com/lists/oss-security/2016/12/01/12

Search for package or bug name: Reporting problems