2 Chapter 27. Response to CPIO Security Notice Issue 11:
3 Prev Part VI. Historical files Next
5 -------------------------------------------------------------------------------
7 Chapter 27. Response to CPIO Security Notice Issue 11:
17 XML-conversion;Updates
32 Refer to http://www.amanda.org/docs/security.html for the current version of
34 The AMANDA development team confirms the existence of the amrecover security
35 hole in recent versions of AMANDA. We have made a new release, AMANDA 2.4.0b5,
36 that fixes the amrecover problem and other potential security holes, and is the
37 product of a security audit conducted in conjunction with the OpenBSD effort.
38 The new version is available at:
39 ftp://ftp.amanda.org/pub/amanda/amanda-2.4.0b5.tar.gz
40 Here's some more information about the amrecover problem to supplement the
41 information given in the CPIO Security Notice:
45 The AMANDA 2.3.0.x interim releases that introduced amrecover, and the 2.4.0
46 beta releases by the AMANDA team are vulnerable.
47 AMANDA 2.3.0 and earlier UMD releases are not affected by this particular bug,
48 as amrecover was not part of those releases. However, earlier releases do have
49 potential security problems and other bugs, so the AMANDA Team recommends
50 upgrading to the new release as soon as practicable.
54 At an active site running AMANDA 2.3.0.x or 2.4.0 beta, amrecover/ amindexd can
57 * removing amandaidx and amidxtape from /etc/inetd.conf
60 * restarting /etc/inetd.conf (kill -HUP should do)
62 This will avoid this particular vulnerability while continuing to run backups.
63 However, other vulnerabilities might exist, so the AMANDA Team recommends
64 upgrading to the new release as soon as practicable.
68 This release (2.4.0) has addressed a number of security concerns with the
69 assistance of Theo de Raadt, Ejovi Nuwere and David Sacerdote of the OpenBSD
70 project. Thanks guys! Any problems that remain are our own fault, of course.
71 The AMANDA Team would also like to thank the many other people who have
72 contributed suggestions, patches, and new subsystems for AMANDA. We're grateful
73 for any contribution that helps us achieve and sustain critical mass for
75 -------------------------------------------------------------------------------
78 Part VI. Historical files Home Chapter 28. Upgrade Issues