Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected] Control: affects -1 + src:autofs
Two issues have recently been addressed in autofs uploads to unstable. [ Reason ] Fixed issues: * Don't let NFSv4-only mounts use rpcbind portmapper service. * Fix missing unlock in sasl_do_kinit_ext_cc(). [ Impact ] Fix autofs hanging for LDAP+Kerberos setups. Avoid communication to rpcbind for NFSv4-only mounts. [ Tests ] Manually, on production site, by bug submitters. [ Risks ] Regressions in autofs. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] + * debian/patches: + + Add fix-nfs4-only-mounts-should-not-use-rpcbind.patch. Don't let NFSv4- + only mounts use rpcbind portmapper service. (Closes: #1034261). + + Add fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch. Fix missing unlock + in sasl_do_kinit_ext_cc(). (Closes: #1039967). [ Other info ] Salvatore Bonnacorso (@carnil) will likely follow up this pu with another pu. Not sure if he gets around to it before the deadline for the next 11.x point release.
diff -Nru autofs-5.1.7/debian/changelog autofs-5.1.7/debian/changelog --- autofs-5.1.7/debian/changelog 2021-02-04 13:36:20.000000000 +0100 +++ autofs-5.1.7/debian/changelog 2023-07-10 19:01:17.000000000 +0200 @@ -1,3 +1,13 @@ +autofs (5.1.7-1+deb11u1) bullseye; urgency=medium + + * debian/patches: + + Add fix-nfs4-only-mounts-should-not-use-rpcbind.patch. Don't let NFSv4- + only mounts use rpcbind portmapper service. (Closes: #1034261). + + Add fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch. Fix missing unlock + in sasl_do_kinit_ext_cc(). (Closes: #1039967). + + -- Mike Gabriel <[email protected]> Mon, 10 Jul 2023 19:01:17 +0200 + autofs (5.1.7-1) unstable; urgency=medium * New upstream release. diff -Nru autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch --- autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch 1970-01-01 01:00:00.000000000 +0100 +++ autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch 2023-07-05 12:14:29.000000000 +0200 @@ -0,0 +1,45 @@ +From b2571ed0df973a6dc6a8e661874655fa7cecdc37 Mon Sep 17 00:00:00 2001 +From: James Dingwall <[email protected]> +Date: Wed, 20 Jul 2022 13:22:38 +0800 +Subject: autofs-5.1.8 - fix missing unlock in sasl_do_kinit_ext_cc() + +There is a missing mutex unlock in function sasl_do_kinit_ext_cc(), +fix it. + +Signed-off-by: James Dingwall <[email protected]> +Signed-off-by: Ian Kent <[email protected]> +--- +# CHANGELOG | 1 + + modules/cyrus-sasl.c | 4 ++++ + 2 files changed, 5 insertions(+) + +#diff --git a/CHANGELOG b/CHANGELOG +#index 1f7c93a..e0b285d 100644 +#--- a/CHANGELOG +#+++ b/CHANGELOG +#@@ -27,6 +27,7 @@ +# - add autofs_strerror_r() helper for musl. +# - update configure. +# - handle innetgr() not present in musl. +#+- fix missing unlock in sasl_do_kinit_ext_cc(). +# +# 19/10/2021 autofs-5.1.8 +# - add xdr_exports(). +diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c +index ae046e0..738e363 100644 +--- a/modules/cyrus-sasl.c ++++ b/modules/cyrus-sasl.c +@@ -721,6 +721,10 @@ sasl_do_kinit_ext_cc(unsigned logopt, struct lookup_context *ctxt) + + debug(logopt, "Kerberos authentication was successful!"); + ++ status = pthread_mutex_unlock(&krb5cc_mutex); ++ if (status) ++ fatal(status); ++ + return 0; + + out_cleanup_def_princ: +-- +cgit + diff -Nru autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch --- autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch 1970-01-01 01:00:00.000000000 +0100 +++ autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch 2023-07-05 12:14:29.000000000 +0200 @@ -0,0 +1,97 @@ +From 80845bbcbc264f19c6c6a81d680e1f2b1ea6d3cc Mon Sep 17 00:00:00 2001 +From: Ian Kent <[email protected]> +Date: Sun, 31 Oct 2021 07:36:16 +0800 +Subject: autofs-5.1.8 - fix nfsv4 only mounts should not use rpcbind + +Commit 606795ecfaa1 ("autofs-5.1.7 - also require TCP_REQUESTED when +setting NFS port" together with commit 26fb6b5408be) caused NFSv4 only +mounts to also use rpcbind to probe availability which breaks the +requirememt that this type of mount not use rpcbind at all. + +Fix this by treating fstype=nfs4 mounts as a special case which doesn't +use rpcbind. + +Signed-off-by: Ian Kent <[email protected]> +--- +# CHANGELOG | 1 + + include/replicated.h | 2 ++ + modules/mount_nfs.c | 13 +++++++------ + modules/replicated.c | 4 ++-- + 4 files changed, 12 insertions(+), 8 deletions(-) + +#diff --git a/CHANGELOG b/CHANGELOG +#index 575f186..4e5e82d 100644 +#--- a/CHANGELOG +#+++ b/CHANGELOG +#@@ -8,6 +8,7 @@ +# - dont fail on duplicate offset entry tree add. +# - fix loop under run in cache_get_offset_parent(). +# - bailout on rpc systemerror. +#+- fix nfsv4 only mounts should not use rpcbind. +# +# 19/10/2021 autofs-5.1.8 +# - add xdr_exports(). +--- a/include/replicated.h ++++ b/include/replicated.h +@@ -35,6 +35,8 @@ + #define NFS3_REQUESTED NFS3_SUPPORTED + #define NFS4_REQUESTED NFS4_SUPPORTED + ++#define NFS4_ONLY_REQUESTED 0x0800 ++ + #define TCP_SUPPORTED 0x0001 + #define UDP_SUPPORTED 0x0002 + #define TCP_REQUESTED TCP_SUPPORTED +--- a/modules/mount_nfs.c ++++ b/modules/mount_nfs.c +@@ -92,7 +92,7 @@ + mount_default_proto = defaults_get_mount_nfs_default_proto(); + vers = NFS_VERS_DEFAULT | NFS_PROTO_DEFAULT; + if (strcmp(fstype, "nfs4") == 0) +- vers = NFS4_VERS_DEFAULT | TCP_SUPPORTED; ++ vers = NFS4_VERS_DEFAULT | TCP_SUPPORTED | NFS4_ONLY_REQUESTED; + else if (mount_default_proto == 4) + vers = vers | NFS4_VERS_DEFAULT; + +@@ -157,15 +157,16 @@ + } else { + /* Is any version of NFSv4 in the options */ + if (_strncmp("vers=4", cp, 6) == 0 || +- _strncmp("nfsvers=4", cp, 9) == 0) +- vers = NFS4_VERS_MASK | TCP_SUPPORTED; +- else if (_strncmp("vers=3", cp, o_len) == 0 || ++ _strncmp("nfsvers=4", cp, 9) == 0) { ++ vers &= ~(NFS_VERS_MASK); ++ vers |= NFS4_VERS_MASK | TCP_SUPPORTED | NFS4_ONLY_REQUESTED; ++ } else if (_strncmp("vers=3", cp, o_len) == 0 || + _strncmp("nfsvers=3", cp, o_len) == 0) { +- vers &= ~(NFS4_VERS_MASK | NFS_VERS_MASK); ++ vers &= ~(NFS4_VERS_MASK | NFS_VERS_MASK | NFS4_ONLY_REQUESTED); + vers |= NFS3_REQUESTED; + } else if (_strncmp("vers=2", cp, o_len) == 0 || + _strncmp("nfsvers=2", cp, o_len) == 0) { +- vers &= ~(NFS4_VERS_MASK | NFS_VERS_MASK); ++ vers &= ~(NFS4_VERS_MASK | NFS_VERS_MASK | NFS4_ONLY_REQUESTED); + vers |= NFS2_REQUESTED; + } else if (strstr(cp, "port=") == cp && + o_len - 5 < 25) { +--- a/modules/replicated.c ++++ b/modules/replicated.c +@@ -248,7 +248,7 @@ + + rpc_info->proto = proto; + if (port < 0) { +- if (version & NFS4_REQUESTED) ++ if (version & NFS4_REQUESTED && (version & NFS4_ONLY_REQUESTED)) + rpc_info->port = NFS_PORT; + else + port = 0; +@@ -510,7 +510,7 @@ + { + struct conn_info pm_info, rpc_info; + time_t timeout = RPC_TIMEOUT; +- unsigned int supported, vers = (NFS_VERS_MASK | NFS4_VERS_MASK); ++ unsigned int supported, vers = (NFS_VERS_MASK | NFS4_VERS_MASK | NFS4_ONLY_REQUESTED); + int ret = 0; + + if (!check_address_proto(logopt, host, version)) diff -Nru autofs-5.1.7/debian/patches/series autofs-5.1.7/debian/patches/series --- autofs-5.1.7/debian/patches/series 2021-02-04 13:13:20.000000000 +0100 +++ autofs-5.1.7/debian/patches/series 2023-07-05 12:14:29.000000000 +0200 @@ -9,3 +9,5 @@ spelling-error-fixes.patch fix-lookup-ldap-crash.patch fix-nfs4-mounts-in-auto-net.patch +fix-nfs4-only-mounts-should-not-use-rpcbind.patch +fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch
