[OpenAFS] OpenAFS Security Releases 1.8.2, 1.6.23 available

Dave Botsch botsch@cnf.cornell.edu
Fri, 12 Oct 2018 12:53:14 -0400

Uusually I grab the .src.rpm , rebuild it, and then push the generated
binaries to our machines.

On Fri, Oct 12, 2018 at 04:46:46PM +0000, Sebby, Brian A. wrote:
> Previous releases have included source RPMs that made it easier for us =
to build RPMs to deploy to our Red Hat-based servers.  I was hoping it ma=
ybe had just not yet been released yet, but there still isn=E2=80=99t a s=
ource RPM for 1.6.23.  It looks like one was built for, so I may=
 just end up deploying that since we do not use any of the backup utiliti=
es.  I know that support for RPMs from OpenAFS is something that=E2=80=99=
s been discussed for a long time, but I hadn=E2=80=99t seen any official =
announcement (unless I missed it) that indicated that they would no longe=
r be created.
> For any other folks using Red Hat =E2=80=93 what are you doing for depl=
oying OpenAFS?  Are there any repos out there equivalent to the Ubuntu PP=
> Brian
> --
> Brian Sebby  (sebby@anl.gov)  |  Information Technology Infrastructure
> Phone: +1 630.252.9935        |  Business Information Services
> Cell:  +1 630.921.4305        |  Argonne National Laboratory
> From: <openafs-info-admin@openafs.org> on behalf of Benjamin Kaduk <kad=
> Date: Tuesday, September 11, 2018 at 2:09 PM
> To: <openafs-announce@openafs.org>
> Cc: <openafs-devel@openafs.org>, <openafs-info@openafs.org>
> Subject: [OpenAFS] OpenAFS Security Releases 1.8.2, 1.6.23 available
> The OpenAFS Guardians are happy to announce the availability of
> Security Releases OpenAFS 1.8.2 and 1.6.23.
> Source files can be accessed via the web at:
>        https://www.openafs.org/release/openafs-1.8.2.html
>        https://www.openafs.org/release/openafs-1.6.23.html
> or via AFS at:
>        UNIX: /afs/grand.central.org/software/openafs/1.8.2/
>        UNC: \\afs\grand.central.org\software\openafs\1.8.2\
>        UNIX: /afs/grand.central.org/software/openafs/1.6.23/
>        UNC: \\afs\grand.central.org\software\openafs\1.6.23\
> These releases include fixes for three security advisories,
> OPENAFS-SA-2018-001, OPENAFS-SA-2018-002, and OPENAFS-SA-2018-003.
> OPENAFS-SA-2018-001 only affects deployments that run the 'butc' utilit=
> as part of the in-tree backup system, but is of high severity for
> those sites which are affected -- an anonymous attacker could replace
> entire volumes with attacker-controlled contents.
> OPENAFS-SA-2018-002 is for information leakage over the network via
> uninitialized RPC output variables.  A number of RPCs are affected,
> some of which require the caller to be authenticated, but in some cases
> hundreds of bytes of data can be leaked per call.  Of note is that
> cache managers are also subject to (kernel) memory leakage via
> OPENAFS-SA-2018-003 is a denial of service whereby anonymous attackers
> can cause server processes to consume large quantities of memory for
> a sustained period of time.
> Please see the release notes and security advisories for additional det=
> The changes to fix OPENAFS-SA-2018-001 require behavior change in both
> butc(8) and backup(8) to use authenticated connections; old and new
> versions of these utilities will not interoperate absent specific
> configuration of the new tool to use the old (insecure) behavior.
> These changes also are expected to cause backup(8)'s interactive mode
> to be limited to only butc connections requiring (or not requiring)
> authentication within a given interactive session, based on the initial
> arguments selected.
> Bug reports should be filed to openafs-bugs@openafs.org<mailto:openafs-=
> Benjamin Kaduk
> for the OpenAFS Guardians

David William Botsch