The OpenAFS maintainers are happy to announce the availability of Security Releases OpenAFS 1.8.13 and OpenAFS 1.6.25. Source files can be accessed via the web at:
https://www.openafs.org/release/openafs-1.8.13.html
https://www.openafs.org/release/openafs-1.6.25.html
or via AFS at:
UNIX: /afs/grand.central.org/software/openafs/1.8.13/
UNC: \\afs\grand.central.org\software\openafs\1.8.13\
UNIX: /afs/grand.central.org/software/openafs/1.6.25/
UNC: \\afs\grand.central.org\software\openafs\1.6.25\
These releases include fixes for three security advisories:
http://openafs.org/pages/security/OPENAFS-SA-2024-001.txt
http://openafs.org/pages/security/OPENAFS-SA-2024-002.txt
http://openafs.org/pages/security/OPENAFS-SA-2024-003.txt
OPENAFS-SA-2024-001 affects cache managers where PAGs are in use; an attacker
with access to a multi-user system could retrieve and use credentials from a
preexisting PAG they are not authorized to access.
OPENAFS-SA-2024-002 affects fileservers, with denial of service and potential
information disclosure from uninitialized memory access being possible due to
improper string handling in processing the RXAFS_StoreACL RPC. Analogous
impact to clients is possible due to improper string handling in processing
the results of the RXAFS_FetchACL RPC.
OPENAFS-SA-2024-003 is a buffer overflow affecting certain RPC clients
(notably, cache manager and command-line client utilities). Errors and
denial of service (crashes) are the most common failure modes, though for this
class of memory-safety issue there is some potential that heap manipulation
could allow remote code execution.
Bug reports should be filed to openafs-b...@openafs.org.
Benjamin Kaduk
for the OpenAFS maintainers
signature.asc
Description: PGP signature
