--- /dev/null
+
+Chapter 27. Response to CPIO Security Notice Issue 11:
+Prev Part VI. Historical files Next
+
+-------------------------------------------------------------------------------
+
+Chapter 27. Response to CPIO Security Notice Issue 11:
+
+
+AMANDA Core Team
+
+Original text
+AMANDA Core Team
+
+Stefan G. Weichinger
+
+XML-conversion;Updates
+AMANDA Core Team
+<sgw@amanda.org>
+Table of Contents
+
+
+ Affected_Versions
+
+ Workaround
+
+ Acknowledgements
+
+
+Note
+
+Refer to http://www.amanda.org/docs/security.html for the current version of
+this document.
+The AMANDA development team confirms the existence of the amrecover security
+hole in recent versions of AMANDA. We have made a new release, AMANDA 2.4.0b5,
+that fixes the amrecover problem and other potential security holes, and is the
+product of a security audit conducted in conjunction with the OpenBSD effort.
+The new version is available at:
+ftp://ftp.amanda.org/pub/amanda/amanda-2.4.0b5.tar.gz
+Here's some more information about the amrecover problem to supplement the
+information given in the CPIO Security Notice:
+
+ Affected Versions
+
+The AMANDA 2.3.0.x interim releases that introduced amrecover, and the 2.4.0
+beta releases by the AMANDA team are vulnerable.
+AMANDA 2.3.0 and earlier UMD releases are not affected by this particular bug,
+as amrecover was not part of those releases. However, earlier releases do have
+potential security problems and other bugs, so the AMANDA Team recommends
+upgrading to the new release as soon as practicable.
+
+ Workaround
+
+At an active site running AMANDA 2.3.0.x or 2.4.0 beta, amrecover/ amindexd can
+be disabled by:
+
+* removing amandaidx and amidxtape from /etc/inetd.conf
+
+
+* restarting /etc/inetd.conf (kill -HUP should do)
+
+This will avoid this particular vulnerability while continuing to run backups.
+However, other vulnerabilities might exist, so the AMANDA Team recommends
+upgrading to the new release as soon as practicable.
+
+ Acknowledgements
+
+This release (2.4.0) has addressed a number of security concerns with the
+assistance of Theo de Raadt, Ejovi Nuwere and David Sacerdote of the OpenBSD
+project. Thanks guys! Any problems that remain are our own fault, of course.
+The AMANDA Team would also like to thank the many other people who have
+contributed suggestions, patches, and new subsystems for AMANDA. We're grateful
+for any contribution that helps us achieve and sustain critical mass for
+improving AMANDA.
+-------------------------------------------------------------------------------
+
+Prev Up Next
+Part VI. Historical files Home Chapter 28. Upgrade Issues
+