-
-Chapter 29. Response to CPIO Security Notice Issue 11:
-Prev Part VI. Historical files Next
-
--------------------------------------------------------------------------------
-
-Chapter 29. Response to CPIO Security Notice Issue 11:
-
-
-Amanda Core Team
-
-Original text
-AMANDA Core Team
-
-Stefan G. Weichinger
-
-XML-conversion;Updates
-AMANDA Core Team
-<sgw@amanda.org>
-Table of Contents
-
-
- Affected_Versions
-
- Workaround
-
- Acknowledgements
-
-The Amanda development team confirms the existence of the amrecover security
-hole in recent versions of Amanda. We have made a new release, Amanda 2.4.0b5,
-that fixes the amrecover problem and other potential security holes, and is the
-product of a security audit conducted in conjunction with the OpenBSD effort.
-The new version is available at:
-ftp://ftp.amanda.org/pub/amanda/amanda-2.4.0b5.tar.gz
-Here's some more information about the amrecover problem to supplement the
-information given in the CPIO Security Notice:
-
- Affected Versions
-
-The Amanda 2.3.0.x interim releases that introduced amrecover, and the 2.4.0
-beta releases by the Amanda team are vulnerable.
-Amanda 2.3.0 and earlier UMD releases are not affected by this particular bug,
-as amrecover was not part of those releases. However, earlier releases do have
-potential security problems and other bugs, so the Amanda Team recommends
-upgrading to the new release as soon as practicable.
-
- Workaround
-
-At an active site running Amanda 2.3.0.x or 2.4.0 beta, amrecover/ amindexd can
-be disabled by:
-
-* removing amandaidx and amidxtape from /etc/inetd.conf
-
-
-* restarting /etc/inetd.conf (kill -HUP should do)
-
-This will avoid this particular vulnerability while continuing to run backups.
-However, other vulnerabilities might exist, so the Amanda Team recommends
-upgrading to the new release as soon as practicable.
-
- Acknowledgements
-
-This release (2.4.0) has addressed a number of security concerns with the
-assistance of Theo de Raadt, Ejovi Nuwere and David Sacerdote of the OpenBSD
-project. Thanks guys! Any problems that remain are our own fault, of course.
-The Amanda Team would also like to thank the many other people who have
-contributed suggestions, patches, and new subsystems for Amanda. We're grateful
-for any contribution that helps us achieve and sustain critical mass for
-improving Amanda.
-
-Note
-
-Refer to http://www.amanda.org/docs/security.html for the current version of
-this document.
--------------------------------------------------------------------------------
-
-Prev Up Next
-Part VI. Historical files Home Chapter 30. Upgrade Issues
-