> > On 29.08.25 18:28, Jose M Calhariz wrote: > > > Just found out, the latest security update for Debian v11, breaks command > > > bos. > > > > > > Any attempt to run "bos status <server>" returns: > > > > > > bos: running unauthenticated > > > bos: failed to contact host's bosserver (RPC interface mismatch (-451)).
I can reproduce this; it happens with 1.8.6-5+deb11u1 specifically, not 1.8.9-1+deb12u1. I don't think there's anything special about the target server; it shouldn't require any particular version. It looks like 1.8.6-5+deb11u1 doesn't have upstream commit 5abea9b8b1164f203fe18b5abe7d64ac8cb514eb (bos: Let xdr allocate rpc output strings), included in upstream 1.8.8. Without that, bos tries to reuse the string buffer for various rpc output arguments, which is prohibited by the "xdr: Prevent XDR_DECODE buffer overruns" commit, mentioned by Ben: On Fri, 29 Aug 2025 11:08:38 -0700 "Benjamin Kaduk" <[email protected]> wrote: > I would be looking more closely at the xdr_string() change in src/rx/xdr.c > (note the commit message there specifically refers to several callsites in > bos.c that rely on the behavior of functions that make use of > xdr_string()). > > The "OPENAFS-SA-2024-003: xdr: Prevent XDR_DECODE buffer overruns" change > is also touching some potentially relevant code, as does > "OPENAFS-SA-2024-003: xdr: Ensure correct string length in xdr_string". -- Andrew Deason [email protected]
