[314] in athena10
DEBATHENA SECURITY: Local privilege escalation in Debathena
daemon@ATHENA.MIT.EDU (Evan Broder)
Fri Jul 11 20:16:00 2008
Message-ID: <4877F718.4050504@mit.edu>
Date: Fri, 11 Jul 2008 17:13:12 -0700
From: Evan Broder <broder@MIT.EDU>
Reply-To: debathena-root@MIT.EDU
MIME-Version: 1.0
To: debathena-announce@mit.edu
CC: sipb-office@mit.edu, athena10@mit.edu
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Package : afuse, debathena-afuse-automounter
Vulnerability : local privilege escalation
*ALL DEBATHENA USERS ARE STRONGLY URGED TO UPGRADE THEIR MACHINES
IMMEDIATELY*
The Debathena maintainers have discovered a local privilege
escalation vulnerability in the afuse package, used by the
debathena-afuse-automounter to provide /mit on Debathena
systems. After analyzing the vulnerability, we have determined
that afuse cannot be used in a secure fashion, and so we are
replacing it with the pyHesiodFS automounter (originally written
for MacAthena). We have uploaded a debathena-pyhesiodfs package
that will replace debathena-afuse-automounter. Additionally, we
have added a debathena-mit-automounter metapackage that depends
on the current recommended automounter configuration for
Debathena. This should simplify upgrades in the future.
Once you have upgraded, you can verify that you are no longer
vulnerable by running the following command and confirming that
it produces no output:
mount | grep -q 'afuse on /mit' && echo "Vulnerable"
If you have any questions regarding this issue, please direct
them to debathena-root@mit.edu.
Upgrade Instructions:
---------------------
You can upgrade your machine by clicking "Reload", then "Mark All
Upgrades", and then "Apply" in the Synaptic package manager
OR
By running the following commands as root:
aptitude update
aptitude dist-upgrade
OR
By running the following commands as root:
aptitude update
aptitude install debathena-mit-automounter
Note: This e-mail has been BCCed to Moira owners of machines
using the Debathena apt repository
