]> git.gag.com Git - debian/amanda/blobdiff - docs/security.txt
projects / debian / amanda / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Imported Upstream version 2.4.5
[debian/amanda] / docs / security.txt
diff --git a/docs/security.txt b/docs/security.txt
new file mode 100644 (file)
index 0000000..e3d5803
--- /dev/null
+++ b/docs/security.txt
@@ -0,0 +1,79 @@
+
+Chapter 27. Response to CPIO Security Notice Issue 11:
+Prev  Part VI. Historical files                   Next
+
+-------------------------------------------------------------------------------
+
+Chapter 27. Response to CPIO Security Notice Issue 11:
+
+
+AMANDA Core Team
+
+Original text
+AMANDA Core Team
+
+Stefan G. Weichinger
+
+XML-conversion;Updates
+AMANDA Core Team
+<sgw@amanda.org>
+Table of Contents
+
+
+  Affected_Versions
+
+  Workaround
+
+  Acknowledgements
+
+
+Note
+
+Refer to http://www.amanda.org/docs/security.html for the current version of
+this document.
+The AMANDA development team confirms the existence of the amrecover security
+hole in recent versions of AMANDA. We have made a new release, AMANDA 2.4.0b5,
+that fixes the amrecover problem and other potential security holes, and is the
+product of a security audit conducted in conjunction with the OpenBSD effort.
+The new version is available at:
+ftp://ftp.amanda.org/pub/amanda/amanda-2.4.0b5.tar.gz
+Here's some more information about the amrecover problem to supplement the
+information given in the CPIO Security Notice:
+
+ Affected Versions
+
+The AMANDA 2.3.0.x interim releases that introduced amrecover, and the 2.4.0
+beta releases by the AMANDA team are vulnerable.
+AMANDA 2.3.0 and earlier UMD releases are not affected by this particular bug,
+as amrecover was not part of those releases. However, earlier releases do have
+potential security problems and other bugs, so the AMANDA Team recommends
+upgrading to the new release as soon as practicable.
+
+ Workaround
+
+At an active site running AMANDA 2.3.0.x or 2.4.0 beta, amrecover/ amindexd can
+be disabled by:
+
+* removing amandaidx and amidxtape from /etc/inetd.conf
+
+
+* restarting /etc/inetd.conf (kill -HUP should do)
+
+This will avoid this particular vulnerability while continuing to run backups.
+However, other vulnerabilities might exist, so the AMANDA Team recommends
+upgrading to the new release as soon as practicable.
+
+ Acknowledgements
+
+This release (2.4.0) has addressed a number of security concerns with the
+assistance of Theo de Raadt, Ejovi Nuwere and David Sacerdote of the OpenBSD
+project. Thanks guys! Any problems that remain are our own fault, of course.
+The AMANDA Team would also like to thank the many other people who have
+contributed suggestions, patches, and new subsystems for AMANDA. We're grateful
+for any contribution that helps us achieve and sustain critical mass for
+improving AMANDA.
+-------------------------------------------------------------------------------
+
+Prev                        Up                         Next
+Part VI. Historical files  Home  Chapter 28. Upgrade Issues
+
Debian packaging of amanda