[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2009-001
Noah Abrahamson
nbfa@stanford.edu
Wed, 8 Apr 2009 09:52:42 -0700
On Apr 8, 2009, at 9:38 AM, Simon Wilkinson wrote:
> [Mac OS X] 10.3 is affected. 10.4 and 10.5 are not.
Thanks for the clarification, Simon. As a follow-up, in the notice for
the Security Advisory 2009-001, it says:
> FIXES
> =====
>
> The OpenAFS project recommends that administrators with Unix clients
> upgrade to OpenAFS version 1.4.9 or newer, or as appropriate for
> people
> testing features in the OpenAFS 1.5 series, OpenAFS version 1.5.59
> or newer.
> Only Unix clients need to be upgraded to address the issue in this
> advisory.
>
> For those sites unable, or unwilling, to upgrade a patch which
> resolves this
> issue is available as
> STABLE14-avoid-buffer-overflow-on-rx-fixed-size-array-
> return-20090402
> in the OpenAFS delta system, or directly from
> http://www.openafs.org/security/openafs-sa-2009-001.patch
> The corresponding PGP signature is available from
> http://www.openafs.org/security/openafs-sa-2009-001.sig
>
> Note that this patch is against 1.4.8, although it may apply to
> earlier
> releases, and to other branches.
Now that it's indicated Mac OS X 10.3 is affected, there appears to be
no tested patch, and no .pkg installer above 1.4.1. per <http://openafs.org/pages/macos.html#panther
>.
Suggestions?
Noah
-------------------
Noah Abrahamson
CRC Server Group
Stanford University
+1 (650) 736-4179