User-Visible OpenAFS Changes

OpenAFS 1.6.15 (Security Release)

  All client and server platforms

    * Fix for OPENAFS-SA-2015-007 "Tattletale"

      When constructing an Rx acknowledgment (ACK) packet, Andrew-derived
      Rx implementations do not initialize three octets of data that are
      padding in the C language structure and were inadvertently included
      in the wire protocol (CVE-2015-7762).  Additionally, OpenAFS Rx in
      versions 1.5.75 through 1.5.78, 1.6.0 through 1.6.14, and 1.7.0
      through 1.7.32 include a variable-length padding at the end of the
      ACK packet, in an attempt to detect the path MTU, but only four octets
      of the additional padding are initialized (CVE-2015-7763).