[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Releases 1.8.2, 1.6.23 available --> butc & backup security update question

Giovanni Bracco giovanni.bracco@enea.it
Thu, 13 Sep 2018 09:12:06 +0200 

Hello everybody!

I have read about the butc & backup security update.

We run daily the AFS backup and I would like to understand if I need 
just to update the backup server with the new butc/backup modules or I 
need also to update all our file servers in order to match the new 
security improvements connected to backup.

Giovanni

On 11/09/2018 21:04, Benjamin Kaduk wrote:
> 
> The OpenAFS Guardians are happy to announce the availability of
> Security Releases OpenAFS 1.8.2 and 1.6.23.
> Source files can be accessed via the web at:
> 
>         https://www.openafs.org/release/openafs-1.8.2.html
>         https://www.openafs.org/release/openafs-1.6.23.html
> 
> or via AFS at:
> 
>         UNIX: /afs/grand.central.org/software/openafs/1.8.2/
>         UNC: \\afs\grand.central.org\software\openafs\1.8.2\
>         UNIX: /afs/grand.central.org/software/openafs/1.6.23/
>         UNC: \\afs\grand.central.org\software\openafs\1.6.23\
> 
> These releases include fixes for three security advisories,
> OPENAFS-SA-2018-001, OPENAFS-SA-2018-002, and OPENAFS-SA-2018-003.
> 
> OPENAFS-SA-2018-001 only affects deployments that run the 'butc' utility
> as part of the in-tree backup system, but is of high severity for
> those sites which are affected -- an anonymous attacker could replace
> entire volumes with attacker-controlled contents.
> 
> OPENAFS-SA-2018-002 is for information leakage over the network via
> uninitialized RPC output variables.  A number of RPCs are affected,
> some of which require the caller to be authenticated, but in some cases
> hundreds of bytes of data can be leaked per call.  Of note is that
> cache managers are also subject to (kernel) memory leakage via
> AFSCB_ RPCs.
> 
> OPENAFS-SA-2018-003 is a denial of service whereby anonymous attackers
> can cause server processes to consume large quantities of memory for
> a sustained period of time.
> 
> Please see the release notes and security advisories for additional details.
> 
> The changes to fix OPENAFS-SA-2018-001 require behavior change in both
> butc(8) and backup(8) to use authenticated connections; old and new
> versions of these utilities will not interoperate absent specific
> configuration of the new tool to use the old (insecure) behavior.
> These changes also are expected to cause backup(8)'s interactive mode
> to be limited to only butc connections requiring (or not requiring)
> authentication within a given interactive session, based on the initial
> arguments selected.
> 
> Bug reports should be filed to openafs-bugs@openafs.org.
> 
> Benjamin Kaduk
> for the OpenAFS Guardians
> 

-- 
Giovanni Bracco
phone  +39 351 8804788
E-mail  giovanni.bracco@enea.it
WWW http://www.afs.enea.it/bracco