The Amanda development team confirms the existence of the amrecover
security hole in recent versions of Amanda. We have made a new
release, Amanda 2.4.0b5, that fixes the amrecover problem and other
potential security holes, and is the product of a security audit
conducted in conjunction with the OpenBSD effort. The new version is
available at:
ftp://ftp.amanda.org/pub/amanda/amanda-2.4.0b5.tar.gz
Here's some more information about the amrecover problem to supplement the
information given in the CPIO Security Notice:
VERSIONS AFFECTED:
The Amanda 2.3.0.x interim releases that introduced amrecover, and the
2.4.0 beta releases by the Amanda team are vulnerable.
Amanda 2.3.0 and earlier UMD releases are not affected by this particular
bug, as amrecover was not part of those releases. However, earlier
releases do have potential security problems and other bugs, so the Amanda
Team recommends upgrading to the new release as soon as practicable.
WORKAROUND:
At an active site running Amanda 2.3.0.x or 2.4.0 beta, amrecover/amindexd
can be disabled by:
- removing amandaidx and amidxtape from /etc/inetd.conf
- restarting inetd.conf (kill -HUP should do)
This will avoid this particular vulnerability while continuing to run backups.
However, other vulnerabilities might exist, so the Amanda Team recommends
upgrading to the new release as soon as practicable.
ACKNOWLEGMENTS:
This release (2.4.0) has addressed a number of security concerns with
the assistance of Theo de Raadt, Ejovi Nuwere and David Sacerdote of
the OpenBSD project. Thanks guys! Any problems that remain are our
own fault, of course.
The Amanda Team would also like to thank the many other people who have
contributed suggestions, patches, and new subsystems for Amanda. We're
grateful for any contribution that helps us achieve and sustain critical
mass for improving Amanda.