[OpenAFS-announce] OpenAFS release 1.6.14 available

Stephan Wiesand openafs-info@openafs.org
Thu, 13 Aug 2015 19:57:57 +0200

The OpenAFS Release Team is pleased to announce the availability of =
version 1.6.14 for UNIX/Linux. Source files can be accessed via the web =


or via AFS at:


There are no binaries yet. Those will be uploaded as they become =

OpenAFS 1.6.14 is the next in the current series of stable releases of =
for all platforms except Microsoft Windows. It fixes a single issue =
in the previous release:

Prior to the OpenAFS security release 1.6.13, the Volume Location Server
(vlserver) RPC VL_ListAttributesN2() supported wildcard volume name =
lookups via
regular expression (regex) pattern matching. This support was completely =
in 1.6.13 because it was judged to be a security risk due to buffer =
overruns in
the implementation, as well as the possibility of denial of service =
attacks where
certain regular expressions could cause excessive CPU usage in some =
implementations. After 1.6.13 was released, it was discovered that the =
OpenAFS 'backup' system uses the VL_ListAttributesN2() regex support to =
configured volume sets.

As a result of this issue, OpenAFS 1.6.14 replaces the 1.6.13 changes to=20=

VL_ListAttributesN2. 1.6.14 prevents the buffer overruns and reenables =
the regex
support, but restricts it to OpenAFS super-users and -localauth only. =
This is
sufficient to restore the OpenAFS 'backup' system's ability to work =
correctly with
any previously supported volume set. The OpenAFS 'backup' commands are =
documented to require super-user authorization, so this restriction is =
moot for
the backup system.

For more details please see


Bug reports should be filed to openafs-bugs@openafs.org .

Stephan Wiesand, 1.6 Branch Release Manager,
for the OpenAFS Release Team