File: security.txt

package info (click to toggle)
amanda 1%3A2.5.2p1-4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 10,280 kB
  • ctags: 7,298
  • sloc: ansic: 84,433; sh: 14,160; xml: 8,467; perl: 2,821; makefile: 1,205; lex: 459; awk: 423; yacc: 240; tcl: 118; sql: 19
file content (79 lines) | stat: -rw-r--r-- 2,628 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 

Chapter 29. Response to CPIO Security Notice Issue 11:
Prev  Part VI. Historical files                   Next

-------------------------------------------------------------------------------

Chapter 29. Response to CPIO Security Notice Issue 11:


Amanda Core Team

Original text
AMANDA Core Team

Stefan G. Weichinger

XML-conversion;Updates
AMANDA Core Team
<sgw@amanda.org>
Table of Contents


  Affected_Versions

  Workaround

  Acknowledgements

The Amanda development team confirms the existence of the amrecover security
hole in recent versions of Amanda. We have made a new release, Amanda 2.4.0b5,
that fixes the amrecover problem and other potential security holes, and is the
product of a security audit conducted in conjunction with the OpenBSD effort.
The new version is available at:
ftp://ftp.amanda.org/pub/amanda/amanda-2.4.0b5.tar.gz
Here's some more information about the amrecover problem to supplement the
information given in the CPIO Security Notice:

 Affected Versions

The Amanda 2.3.0.x interim releases that introduced amrecover, and the 2.4.0
beta releases by the Amanda team are vulnerable.
Amanda 2.3.0 and earlier UMD releases are not affected by this particular bug,
as amrecover was not part of those releases. However, earlier releases do have
potential security problems and other bugs, so the Amanda Team recommends
upgrading to the new release as soon as practicable.

 Workaround

At an active site running Amanda 2.3.0.x or 2.4.0 beta, amrecover/ amindexd can
be disabled by:

* removing amandaidx and amidxtape from /etc/inetd.conf


* restarting /etc/inetd.conf (kill -HUP should do)

This will avoid this particular vulnerability while continuing to run backups.
However, other vulnerabilities might exist, so the Amanda Team recommends
upgrading to the new release as soon as practicable.

 Acknowledgements

This release (2.4.0) has addressed a number of security concerns with the
assistance of Theo de Raadt, Ejovi Nuwere and David Sacerdote of the OpenBSD
project. Thanks guys! Any problems that remain are our own fault, of course.
The Amanda Team would also like to thank the many other people who have
contributed suggestions, patches, and new subsystems for Amanda. We're grateful
for any contribution that helps us achieve and sustain critical mass for
improving Amanda.

Note

Refer to http://www.amanda.org/docs/security.html for the current version of
this document.
-------------------------------------------------------------------------------

Prev                        Up                         Next
Part VI. Historical files  Home  Chapter 30. Upgrade Issues