[OpenAFS-announce] OpenAFS release 1.6.14 available

Stephan Wiesand openafs-info@openafs.org
Thu, 13 Aug 2015 19:57:57 +0200


The OpenAFS Release Team is pleased to announce the availability of =
OpenAFS
version 1.6.14 for UNIX/Linux. Source files can be accessed via the web =
at:

  http://www.openafs.org/dl/openafs/1.6.14/

or via AFS at:

   /afs/grand.central.org/software/openafs/1.6.14/
  \\afs\grand.central.org\software\openafs\1.6.14\

There are no binaries yet. Those will be uploaded as they become =
available.

OpenAFS 1.6.14 is the next in the current series of stable releases of =
OpenAFS
for all platforms except Microsoft Windows. It fixes a single issue =
introduced
in the previous release:

Prior to the OpenAFS security release 1.6.13, the Volume Location Server
(vlserver) RPC VL_ListAttributesN2() supported wildcard volume name =
lookups via
regular expression (regex) pattern matching. This support was completely =
disabled
in 1.6.13 because it was judged to be a security risk due to buffer =
overruns in
the implementation, as well as the possibility of denial of service =
attacks where
certain regular expressions could cause excessive CPU usage in some =
regex
implementations. After 1.6.13 was released, it was discovered that the =
native
OpenAFS 'backup' system uses the VL_ListAttributesN2() regex support to =
evaluate
configured volume sets.

As a result of this issue, OpenAFS 1.6.14 replaces the 1.6.13 changes to=20=

VL_ListAttributesN2. 1.6.14 prevents the buffer overruns and reenables =
the regex
support, but restricts it to OpenAFS super-users and -localauth only. =
This is
sufficient to restore the OpenAFS 'backup' system's ability to work =
correctly with
any previously supported volume set. The OpenAFS 'backup' commands are =
already
documented to require super-user authorization, so this restriction is =
moot for
the backup system.

For more details please see

  http://dl.openafs.org/dl/1.6.14/RELNOTES-1.6.14

Bug reports should be filed to openafs-bugs@openafs.org .

Stephan Wiesand, 1.6 Branch Release Manager,
for the OpenAFS Release Team