-
openafs (1.6.9-2+deb8u7) jessie; urgency=high
* Apply upstream patches needed to fix kernel module build against
linux 3.16.51-3+deb8u1 kernels after security update-induced ABI changes.
(Closes: #886719)
-- Benjamin Kaduk <email address hidden> Sat, 20 Jan 2018 11:48:09 -0600
-
openafs (1.6.9-2+deb8u5) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2015-8312: afs: pioctl kernel memory overrun
* CVE-2016-2860: group creation by foreign users
-- Salvatore Bonaccorso <email address hidden> Wed, 04 May 2016 22:11:45 +0200
-
openafs (1.6.9-2+deb8u4) jessie-security; urgency=high
* Apply upstream security patches corresponding to the 1.6.15 release:
- OPENAFS-SA-2015-007 (CVE-2015-7762, CVE-2015-7763): rx ACK packets
reveal plaintext of previously encrypted data packets.
-- Benjamin Kaduk <email address hidden> Wed, 28 Oct 2015 11:58:48 -0400
-
openafs (1.6.9-2+deb8u3) jessie-security; urgency=high
* Apply upstream security patches from the 1.6.13 release (thanks to
Benjamin Kaduk <email address hidden> for providing the patches):
- OPENAFS-SA-2015-001 (CVE-2015-3282): vos leaks stack data onto the wire when creating
vldb entries
- OPENAFS-SA-2015-002 (CVE-2015-3283): bos commands can be spoofed, including some
which alter server state
- OPENAFS-SA-2015-003 (CVE-2015-3284): pioctls leak kernel memory contents
- OPENAFS-SA-2015-004 (CVE-2015-3285): kernel pioctl support for OSD command parsing
can trigger a panic
- OPENAFS-SA-2015-006 (CVE-2015-3287): Buffer overflow in OpenAFS vlserver
* The patch for OPENAFS-SA-2015-005 is not applied, since that
vulnerability is limited to the Solaris kernel module
-- Sebastien Delafond <email address hidden> Thu, 30 Jul 2015 11:53:25 +0200
-
openafs (1.6.9-2+deb8u2) testing; urgency=high
* The build fix in 1.6.9-2+deb8u1 was incomplete; import more patches
from upstream to complete the build fix. (Closes: #778196.)
-- Benjamin Kaduk <email address hidden> Mon, 02 Mar 2015 14:07:00 -0500
-
openafs (1.6.9-2+deb8u1) testing; urgency=high
* Import patches from upstream:
- Avoid using stale data version after writepage. (Closes: #778851.)
- Fix build when d_alias is in the d_u union. (Closes: #778196.)
-- Benjamin Kaduk <email address hidden> Fri, 20 Feb 2015 12:55:06 -0500
-
openafs (1.6.9-2) unstable; urgency=medium
[ Russ Allbery ]
* Retroactively add the CVE for OPENAFS-SA-2014-002 to the changelog for
1.6.9-1. It was assigned after the release was uploaded.
* Add Benjamin Kaduk as Maintainer and move myself to Uploaders.
[ Benjamin Kaduk ]
* Apply upstream deltas to fix the build with the linux kernel 3.16
(Closes: #762248):
- [ea0c9d8c] Linux 3.16: Switch to iter_file_splice_write
- [02a07404] Linux 3.16: Convert to new write_iter/read_iter ops
* Update README.source for the gbp pq patch-management procedure.
-- Benjamin Kaduk <email address hidden> Mon, 22 Sep 2014 13:17:12 -0400
-
openafs (1.6.9-1) unstable; urgency=high
* New upstream release.
- OPENAFS-SA-2014-002: Fix use of uninitialized memory in the host
object in the fileserver.
-- Russ Allbery <email address hidden> Thu, 12 Jun 2014 12:39:25 -0700
-
openafs (1.6.8-1) unstable; urgency=medium
* New upstream release.
- Change the default fileserver sync behavior from delayed to
onclose so that explicit syncing only happens when a volume is
detached.
- Add -offline-timeout and -offline-shutdown-timeout options to the
fileserver, allowing interrupting of clients accessing volumes that
the fileserver is trying to take off-line.
- Fix RX bug that could hide errors during packet reception.
- Fix vos size -dump display for large volumes.
- Give up callbacks when the client is shut down. This can cause
crashes in old fileservers (prior to 1.4.6).
- Restore vos e alias for vos examine.
- Throttle byte-range lock warnings per file, and include the FID of
the file that the client is trying to lock.
- Avoid a possible panic during shutdown while tracing.
- Fix a bug that could cause getcwd to fail to find parent
directories.
- Avoid a delay when accessing uncached data in AFS in a confined
context under SELinux.
- Documentation, diagnostics, and error message improvements.
* Add Lintian override for the copy of RFC 5864, which has been
dual-licensed by the author.
-- Russ Allbery <email address hidden> Sat, 24 May 2014 17:55:20 -0700
-
openafs (1.6.7-1) unstable; urgency=high
* New upstream security release.
- OPENAFS-SA-2014-001: Fix potential buffer overflow in the
fileserver. (CVE-2014-0159)
- Fix a potential DoS attack against Rx servers by avoiding suspending
the listener thread when delaying connection abort messages.
-- Russ Allbery <email address hidden> Wed, 09 Apr 2014 10:33:38 -0700
-
openafs (1.6.6-1) unstable; urgency=low
* New upstream release.
- Remove server-side NAT pings since there's no evidence they help.
* Fix linking of /usr/share/doc directories for libpam-openafs-kaserver,
openafs-fuse, and openafs-kpasswd. This was broken in previous
releases by a miswritten debian/rules override. Thanks to Andreas
Beckmann for finding the problem and solution. (Closes: #736305)
* Accept AFS_DYNROOT=true as an alias for Yes in afs.conf.client,
matching behavior of releases prior to 1.6.2.1-1. (Closes: #729353)
-- Russ Allbery <email address hidden> Thu, 23 Jan 2014 20:43:05 -0800
-
openafs (1.6.6~pre2-1) unstable; urgency=low
* New upstream pre-release.
- Linux kernels up to 3.12 are now supported, including kernels with
user namespace support enabled (which affects Debian's 3.12-1 kernel
and newer).
- Fixed core dumps into AFS with current kernels.
- When starting the client fails, backing device information created
in sysfs is now properly cleared.
- The AFS mountpoint specified in the cacheinfo file must now be an
absolute path.
- Stop tracking file locks on read-only volumes. Write locks always
fail and read locks always succeed.
- New fs flushall command to discard all cached data.
- Fixed a bug that could cause the client to incorrectly believe its
cache was up to date.
- New -rxmaxfrags switch to afsd to limit the number of UDP fragments
sent or received per RX packet.
- Fixed afsd threads entering an infinite loop.
- The file server now ignores any vice partitions with a NeverAttach
flag file present in the root directory.
- Enabled server-side NAT pings to refresh NAT timeouts.
- Forcing file server CPS recalculation (for IP ACLs) is now
restricted to administrators.
- vos examine of a volume in a transaction is now shown as busy again
rather than off-line.
- Multiple bug fixes to the salvager.
- Fixed a bug that could cause state information to be discarded when
restarting a large or busy file server.
- Fixed a vlserver bug during file server address registration.
- volserver supports a new -preserve-vol-stats option, which preserves
access statistics across volume restore and reclone operations.
- Releasing a volume after adding a new RO site no longer touches the
existing RO sites if the volume has not changed since the last
release.
- Fixed undefined ptserver behavior with too many allocated PTS ids.
- Avoid redefining assert in public header files.
- Documentation, diagnostics, and error message improvements.
-- Russ Allbery <email address hidden> Sat, 28 Dec 2013 11:38:19 -0800
-
openafs (1.6.5.2-1) unstable; urgency=medium
* New upstream release.
- Fix support for tmpfs as the cache filesystem.
- Support kernels with backported changes affecting getname/putname.
* Exit successfully in the openafs-client init script if /sbin/afsd
doesn't exist, indicating that openafs-client is not installed.
* Load /lib/lsdb/init-functions in the openafs-client init script as the
first step towards upstart or systemd support.
* Update standards version to 3.9.5 (no changes required).
-- Russ Allbery <email address hidden> Sun, 22 Dec 2013 13:40:10 -0800
-
openafs (1.6.5.1-1) unstable; urgency=low
* New upstream release.
- Support for Linux 3.11 and 3.12 (up to 3.12-rc3).
- Fixed core dumps into AFS with some Linux kernels.
* Cherry-pick additional upstream fixes.
- [7242e25a] Fix library ordering when building aklog.
- [514fc63d] Fix budb crash when the -servers command-line option
is given. (Closes: #718253)
* Ignore errors when reading ThisCell in the openafs-client config
script. If the file doesn't end in a newline, read will still succeed
and set the variable, but will exit with a non-zero status. This
would abort configuration of the package without a useful error
message.
* Drop Recommends of libjs-jquery in openafs-doc. We're no longer
replacing the embedded jQuery, pending a better fix in the Doxygen
packaging.
* Optimize the get-orig-source target. Thanks, Anders Kaseorg.
* Translation updates:
- German, thanks Erik Pfannenstein. (Closes: #719154)
-- Russ Allbery <email address hidden> Sun, 20 Oct 2013 09:26:37 -0700
-
openafs (1.6.5-1) unstable; urgency=high
* New upstream release.
- OPENAFS-SA-2013-003: New support for non-DES enctypes in the
long-lived AFS key. This requires deploying rxkad.keytab files on
each server containing all of the encryption types for the cell AFS
key. Once this is deployed on servers, DES will only be used for
the session key. Once deployed on all clients, a stronger security
mechanism will be used that allows the DES keys to be removed from
the AFS principal in the Kerberos KDC (but still uses DES for some
session encryption purposes). (CVE-2013-4134)
- OPENAFS-SA-2013-004: Properly support the -encrypt option in vos,
including with -localauth. (CVE-2013-4135)
* Move the documentation and kernel module build dependencies to
Build-Depends-Indep and only do those parts of the build if building
architecture-independent packages.
* Drop the sequence numbers from the openafs-client init script
registration. Debian now always uses dependency-based boot ordering.
* Translation updates:
- Japanese, thanks victory. (Closes: #714223)
-- Russ Allbery <email address hidden> Wed, 24 Jul 2013 14:32:22 -0700
-
openafs (1.6.4-1) unstable; urgency=low
* New upstream release.
-- Russ Allbery <email address hidden> Tue, 18 Jun 2013 11:10:45 -0700
-
openafs (1.6.2.1-2) unstable; urgency=low
* Upload to unstable.
* Translation updates:
- Brazilian Portuguese, thanks Albino B Neto. (Closes: #706627)
-- Russ Allbery <email address hidden> Thu, 09 May 2013 09:00:57 -0700
-
openafs (1.6.1-3) unstable; urgency=high
* Apply upstream security patches:
- OPENAFS-SA-2013-001: Fix fileserver buffer overflow when parsing
client-supplied ACL entries and protect against client parsing of
bad ACL entries. (CVE-2013-1794)
- OPENAFS-SA-2013-002: Fix ptserver buffer overflow via integer
overflow in the IdToName RPC. (CVE-2013-1795)
-- Russ Allbery <email address hidden> Mon, 04 Mar 2013 11:17:02 -0800
