[OpenAFS-announce] OpenAFS 1.2.6 release available; Fixes XDR security issue
Garry Zacheiss
zacheiss@MIT.EDU
Sat, 03 Aug 2002 06:53:58 -0400
OpenAFS 1.2.6 is now available for download from the openafs.org web
site and in the openafs.org AFS cell.
This release fixes the SUNRPC XDR integer overflow security
vulnerability that came to light earlier this week. This bug can be
exploited to crash certain OpenAFS server processes (volserver,
vlserver, ptserver, buserver) or to obtain unauthorized root access to a
host running one of these processes.
The OpenAFS fileserver and cache manager (client) are not vulnerable
to these attacks. No exploits are presently known to be available
for this vulnerability.
Please see:
http://www.openafs.org/security/index.html#OPENAFS-SA-2002-001
for the full security advisory.
if you are unable to upgrade your servers to OpenAFS 1.2.6 at this time,
patches against the OpenAFS 1.2.x series can be found at:
http://www.openafs.org/security/xdr-updates-20020731.delta
In addition to the gzipped tarfile of source, binary distributions of
OpenAFS 1.2.6 are available for AIX 4.3.3, Darwin 1.4, Digital UNIX
4.0F, Tru64 5.0A, Irix 6.5, Solaris 2.6, Solaris 7, Solaris 8, and
Solaris 9 in a gzipped tar format, MacOS X 10.1 in a tar file, and
Debian 3.0 (Woody) i386 dpkgs.
Redhat RPMs are not available at this time. We anticipate making them
available sometime in the next week.
As always, the latest release can be found at:
http://www.openafs.org/release/latest.html
Thanks to:
Derrick Brashear for the AIX 4.3.3, Tru64 5.0A, Solaris 7 and Solaris
9 binaries.
Sam Hartmans for Debian 3.0 dpkgs.
Garry, for the OpenAFS gatekeepers.