[OpenAFS-announce] OpenAFS security release 1.6.17 available

Benjamin Kaduk openafs-info@openafs.org
Wed, 16 Mar 2016 11:19:41 -0400 (EDT)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The OpenAFS Security Team is pleased to announce the availability of
OpenAFS version 1.6.17 for UNIX/Linux. Source files can be accessed via
the web at:

  http://www.openafs.org/dl/openafs/1.6.17/

or via AFS at:

   /afs/grand.central.org/software/openafs/1.6.17/
  \\afs\grand.central.org\software\openafs\1.6.17\

There are no binaries yet. Those will be uploaded as they become
available.

OpenAFS 1.6.17 is the next in the current series of stable releases of
OpenAFS for all platforms except Microsoft Windows.

This release fixes the vulnerabilities tracked as OPENAFS-SA-2016-001 and
OPENAFS-SA-2016-002.

OPENAFS-SA-2016-001 (CVE-2016-2860): Users from foreign Kerberos realms
can create groups as if they were administrators

OPENAFS-SA-2016-002: Information leakage over the network due to
uninitialized memory

For more details please see

  http://dl.openafs.org/dl/1.6.17/RELNOTES-1.6.17

  http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt
  http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt

Bug reports should be filed to openafs-bugs@openafs.org.

ACKNOWLEDGEMENTS

OPENAFS-SA-2016-001 was reported by Peter Iannucci
OPENAFS-SA-2016-002 was reported by Marc Dionne

Benjamin Kaduk
OpenAFS Security Officer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGgBAEBCgAGBQJW6Xk/AAoJECjZpvNk63USlJsMH3xfqDBsMihvy1ueUDaeO2oK
fnoh9w5JJPJPjj3WXBSt88VwLjoAcuIq7OFmma8SrSDpBmafqGpBI6XmjAP+7ci9
1NNx5ClR989ARotuvJIn20RZ2JdQRATMBHD+3jSj/WESb0P/uLdJ5w/+4NNQ9tJI
NJgbKjPurIwqeOJ1IqwzkyhD3yFxQ9fM+cq5lpbCCTnjILK3G3lcPAVHxCPBcQMZ
tyKNsz2RJm6JvZJoroZIF2eX/pmqPEHuIasSMnhoe+C+Pxz2/ZLlCvIZjxdpkbvR
lU0oJpJsVT/TNpshFAc5iY2bvHthDoiqiQy5yEscHioxK8nqr09B9EEazENdrKkK
Sl9Y1QUkSqpppbjNH9iftQ05qo1Pqh1RGpLdw94O6L7RchpUrMH1xtdnLsgui6Pt
wdFfYdV7xz1833VXN0HfUffNecg7C/xJEHEhzqVit5KrsaDaBUp95qWx/P1tdRke
ZOsgxmGeR4OSLZBVIzaAjVfjfsoLTAD1s4FMeILevs759pI=
=yLSt
-----END PGP SIGNATURE-----