Topic: vos leaks stack data onto the wire in the clear when creating vldb entries
       CVE-2015-3282

Issued:         29-July-2015
Last Update:    29-July-2015
Affected:       OpenAFS versions through 1.6.12

A local user executing the vos command can expose local stack data
over the network when an unencrypted connection is being used.

SUMMARY
=======

vos makes use of allocations for nvldbentry structures when updating
VLDB entries which are not zeroed.


IMPACT
======

Stack data can be leaked in the clear if -crypt is not used.


AFFECTED SOFTWARE
=================

The vos executable in versions through 1.6.12 is affected.


FIXES
=====

The OpenAFS project recommends that administrators of fileservers upgrade
to OpenAFS version 1.6.13 or newer.

For those sites unable, or unwilling, to upgrade a patch which resolves this
issue is available directly from:

  http://www.openafs.org/security/openafs-sa-2015-001.patch

The latest stable OpenAFS release is always available from
http://www.openafs.org/release/latest.html

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

  http://www.openafs.org/security/

The main OpenAFS web page is at:

  http://www.openafs.org/