[OpenAFS-announce] SECURITY RELEASE: 1.6.13 now available
D Brashear
openafs-info@openafs.org
Thu, 30 Jul 2015 00:26:59 -0400
--001a113fd40440bd84051c101d4c
Content-Type: text/plain; charset=UTF-8
The OpenAFS Release Team is pleased to announce the availability of
OpenAFS version 1.6.13 for UNIX/Linux. Source files can be accessed
via the web at:
http://www.openafs.org/dl/openafs/1.6.13/
or via AFS at:
/afs/grand.central.org/software/openafs/1.6.13/
\\afs\grand.central.org\software\openafs\1.6.13\
At this time, Solaris, RedHat and FreeBSD binaries are available.
OpenAFS 1.6.13 is the next in the current series of stable releases of
OpenAFS for all platforms except Microsoft Windows. All changes in 1.6.13
are security fixes:
All server platforms
* Fix for CVE-2015-3282: vos leaks stack data onto the wire in the
clear when creating vldb entries
* Workaround for CVE-2015-3283: bos commands can be spoofed, including
some which alter server state
* Disabled searching the VLDB by volume name regular expression to avoid
possible buffer overruns in the volume location server
All client platforms
* Fix for CVE-2015-3284: pioctls leak kernel memory
* Fix for CVE-2015-3285: kernel pioctl support for OSD command passing
can trigger a panic
Solaris clients
* Fix for CVE-2015-3286: Solaris grouplist modifications for PAGs can
panic or overwrite memory
For the full list of user visible changes in 1.6.13, please see
http://dl.openafs.org/dl/1.6.13/RELNOTES-1.6.13
Security advisories for these and other issues can be found as always at
http://www.openafs.org/security/
Bug reports should be filed to openafs-bugs@openafs.org .
Daria Phoebe Brashear,
for the OpenAFS Release Team
--001a113fd40440bd84051c101d4c
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><pre>The OpenAFS Release Team is pleased to announce the a=
vailability of <br>OpenAFS version 1.6.13 for UNIX/Linux. Source files can =
be accessed<br>via the web at:
<a href=3D"http://www.openafs.org/dl/openafs/1.6.13/">http://www.openafs.=
org/dl/openafs/1.6.13/</a>
or via AFS at:
/afs/<a href=3D"http://grand.central.org/software/openafs/1.6.13/">grand=
.central.org/software/openafs/1.6.13/</a>
\\afs\<a href=3D"http://grand.central.org">grand.central.org</a>\software=
\openafs\1.6.13\
At this time, Solaris, RedHat and FreeBSD binaries are available.<br><br>Op=
enAFS 1.6.13 is the next in the current series of stable releases of <br>Op=
enAFS for all platforms except Microsoft Windows. All changes in 1.6.13<br>=
are security fixes:<br><br> All server platforms<br><br> * Fix for CVE-=
2015-3282: vos leaks stack data onto the wire in the<br> clear when cr=
eating vldb entries<br><br> * Workaround for CVE-2015-3283: bos commands=
can be spoofed, including<br> some which alter server state<br><br> =
* Disabled searching the VLDB by volume name regular expression to avoid<=
br> possible buffer overruns in the volume location server<br><br> Al=
l client platforms<br><br> * Fix for CVE-2015-3284: pioctls leak kernel =
memory<br><br> * Fix for CVE-2015-3285: kernel pioctl support for OSD co=
mmand passing<br> can trigger a panic<br><br> Solaris clients<br><br>=
* Fix for CVE-2015-3286: Solaris grouplist modifications for PAGs can<b=
r> panic or overwrite memory<br><br>
For the full list of user visible changes in 1.6.13, please see
<a href=3D"http://dl.openafs.org/dl/1.6.13/RELNOTES-1.6.13">http://dl.ope=
nafs.org/dl/1.6.13/RELNOTES-1.6.13</a>
<br>Security advisories for these and other issues can be found as always a=
t<br> =C2=A0<a href=3D"http://www.openafs.org/security/">http://www.openafs=
.org/security/</a><br><br>=C2=A0Bug reports should be filed to <a href=3D"m=
ailto:openafs-bugs@openafs.org">openafs-bugs@openafs.org</a> .
Daria Phoebe Brashear,
for the OpenAFS Release Team</pre></div>
--001a113fd40440bd84051c101d4c--