[OpenAFS] [OpenAFS-announce] OpenAFS Security Releases 1.8.2, 1.6.23 available --> butc & backup security update question

Mark Vitale mvitale@sinenomine.net
Thu, 13 Sep 2018 16:05:34 +0000


Giovanni,

> On Sep 13, 2018, at 3:12 AM, Giovanni Bracco <giovanni.bracco@enea.it> wr=
ote:

> I have read about the butc & backup security update.
>=20
> We run daily the AFS backup and I would like to understand if I need just=
 to update the backup server with the new butc/backup modules or I need als=
o to update all our file servers in order to match the new security improve=
ments connected to backup.

Your question seems to be mostly concerned with securing your backups,
so I'll answer that specific question first.
If we just consider the OpenAFS backup system in isolation,
I'm pretty sure you do not need to make changes to your fileservers
in order to pick up the butc security fixes. (Ben, please chime in if
you disagree).
I believe you only _need_ to update butc, but of course it's good
practice for all the backup system components to have the same version:
- butc
- backup (client)
- buserver

However, the other security fixes in this release do include updates
to non-backup OpenAFS components, including several volserver fixes (which
would require updating your fileservers).  There are also important
client and DB server security fixes in this release.

Therefore, I think it's fine if you just update your backup components
for now.  However, since some of these vulnerabilities are remotely=20
exploitable, I recommend updating the rest of your cell to the current=20
release as soon as you can manage it.

Regards,
--
Mark Vitale
OpenAFS release team