Описание
A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| openafs | fixed | 1.8.13-1 | package |
Примечания
http://openafs.org/pages/security/OPENAFS-SA-2024-001.txt
https://lists.openafs.org/pipermail/openafs-devel/2024-November/020961.html
https://www.openafs.org/pages/security/openafs-sa-2024-001-stable16.patch (openafs-stable-1_6_25)
https://www.openafs.org/pages/security/openafs-sa-2024-001-stable18.patch (openafs-stable-1_8_13)
http://git.openafs.org/?p=openafs.git;a=commit;h=20c22347b41eea2ebbdc0ab15f16c822af44df51 (openafs-stable-1_8_13)
http://git.openafs.org/?p=openafs.git;a=commit;h=57b655e4837d8660ebcc25d95efb09118adaff07 (openafs-stable-1_8_13)
Связанные уязвимости
A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.
A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.
A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.