Navigation:
Browse pkgsrc
(this page)| 2017-07-21 03:39:33 by Sevan Janiyan | Files touched by this commit (3) |
Log message:
Update to 1.6.21
User-Visible OpenAFS Changes
OpenAFS 1.6.21
All platforms
* Avoid a possible 100ms transmit delay in the RX protocol when a peer's
receive window transitions from closed to open (12627)
* Documentation improvements (12476 12477 12559[RT #133339])
All server platforms
* When bosserver is started with an unknown option, print an error message
and exit with a non-zero value rather than failing silently (12631)
All DB server platforms
* Hold the DB lock while checking for an aborted write transaction (12516)
All file server platforms
* On demand attach fileservers, don't save or restore a client's host
state if CPS ("Current Protection Subdomain") recalculation for it is
in progress, to avoid fileserver thread exhaustion (12568)
* On demand attach fileservers, avoid flooding the log with error messages,
which could happen when the fileserver was restarted while a volume was
offline (12569)
* Update a volume's "Last Update" time when its content is modified by
the salvager, to make the change visible in the output of "vos \
examine"
and to backup services (12633)
All client platforms
* Corrected the DCentries bucket counts for very large and zero length
files in the output of "fs getcacheparms -excessive" (12604 12605)
* Fixed a bug that prevented users with GID 2748 and 2750 from executing
the "fs sysname" command on clients running afsd with -rmtsys (12607)
* Provide a new -inumcalc switch for afsd to allow enabling the alternative
MD5 method of inode number calculation, which was previously only
possible on Linux and through the sysctl interface (12608 12632)
Linux clients
* Support for mainline kernel 4.12 and distribution kernels with backports
from it (12624 12626)
* Re-added the improved algorithm for freeing unused vcaches to reduce
memory consumption first introduced with the 1.6.18 release, together
with a fix for the issue leading to its removal in 1.6.18.2 (12448..12451)
macOS clients
* Fixed a crash while stopping the client on macOS 10.12 "Sierra" \
(12602)
|
| 2016-10-03 10:30:13 by Thomas Klausner | Files touched by this commit (2) |
Log message: Try listing all relevant licenses. |
| 2016-05-17 12:32:09 by Filip Hajny | Files touched by this commit (36) |
Log message: Use REAL_ROOT_USER/REAL_ROOT_GROUP instead of ROOT_USER/ROOT_GROUP for all pkgsrc dir/file ownership rules. Fixes unprivileged user/group names from leaking into binary packages, manifest as non-fatal chown/chgrp failure messages at pkg_add time. Bump respective packages' PKGREVISION. |
| 2016-04-04 14:48:29 by Jonathan A. Kollasch | Files touched by this commit (7) |
Log message: Fix build of OpenAFS userland on at least NetBSD/amd64 7.0. Hopefully NetBSD/x86 -current also works. Should merely be a build fix, but bump PKGREVISION anyway. This commit allocates sysname numbers that have not yet been submitted upstream. |
2016-03-18 18:11:37 by Jonathan A. Kollasch | Files touched by this commit (2) |  |
Log message:
Update OpenAFS to 1.6.17, fixes security vulnerabilities.
User-Visible OpenAFS Changes
OpenAFS 1.6.17 (Security Release)
All server platforms
* Fix for OPENAFS-SA-2016-001: foreign users can create groups as
if they were an administrator (RT #132822) (CVE-2016-2860)
All client platforms
* Fix for OPENAFS-SA-2016-002: information leakage from sending
uninitialized memory over the network. Multiple call sites
were vulnerable, with potential for leaking both kernel and
userland stack data (RT #132847)
* Update to the GCO CellServDB update from 01 January 2016 (12188)
Linux clients
* Fix a crash when the root volume is not found and dynroot is not
in use, a regression introduced in 1.6.14.1 (12166)
* Avoid introducing a dependency on the kernel-devel package corresponding
to the currently running system while building the srpm (12195)
* Create systemd unit files with mode 0644 instead of 0755
(12196) (RT #132662)
OpenAFS 1.6.16
All platforms
* Documentation improvements (11932 12096 12100 12112 12120)
* Improved diagnostics and error messages (11586 11587)
* Distribute the contributor code of conduct with the stable release (12056)
All server platforms
* Create PID files in the right location when bosserver is started with
the "-pidfiles" argument and transarc paths are not being used \
(12086)
* Several fixes regarding volume dump creation and restore (11433 11553
11825 11826 12082)
* Avoid a reported bosserver crash, and potentially others, by replacing
fixed size buffers with dynamically allocated ones in some user handling
functions (11436) (RT #130719)
* Obey the "-toname" parameter in "vos clone" operations \
(11434)
* Avoid writing a loopback address into the server CellServDB - search
for a non-loopback one, and fail if none is found (12083 12105)
* Rebuild the vldb free list with "vldb_check -fix" (12084)
* Fixed and improved the "check_sysid" utility (12090)
* Fixed and improved the "prdb_check" utility (12101..04)
All client platforms
* Avoid a potential denial of service issue, by fixing a bug in pioctl
logic that allowed a local user to overrun a kernel buffer with a single
NUL byte (commit 2ef86372) (RT #132256) (CVE-2015-8312)
* Refuse to change multi-homed server entries with "vos changeaddr",
unless "-force" is given, to avoid corruption of those entries \
(12087)
* Provide a new vos subcommand "remaddrs" for removing server \
entries, to
replace the slightly confusing "vos changeaddr -remove" (12092 12094)
* Make "fs flushall" actually invalidate all cached data (11894)
* Prevent spurious call aborts due to erroneous idle timeouts (11594)
* Provide a "--disable-gtx" configure switch to avoid building and
installing libgtx and its header files as well as the depending
"scout" and "afsmonitor" applications (12095)
* Fixed building the gtx applications against newer ncurses (12125)
* Allow pioctls to work in environments where the syscall emulation
pseudo file is created in a read-only pseudo filesystem, like in
containers under recent versions of docker (12124)
Linux clients
* In Red Hat packaging, avoid following a symbolic link when writing
the client CellServDB, which could overwrite the server CellServDB,
by removing an existing symlink before writing the file (12081)
* In Red Hat packaging, avoid a conflict of openafs-debuginfo with
krb5-debuginfo by excluding our kpasswd executable from debuginfo
processing (12128) (RT #131771)
|
| 2015-11-04 18:41:21 by Alistair G. Crooks | Files touched by this commit (78) |
Log message: Remove duplicate SHA512 digests that crept in. |
| 2015-11-03 01:15:02 by Alistair G. Crooks | Files touched by this commit (39) |
Log message: Add SHA512 digests for distfiles for filesystems category Existing SHA1 digests verified, all found to be the same on the machine holding the existing distfiles (morden). Existing SHA1 digests retained for now as an audit trail. |
| 2015-10-28 20:43:01 by Jonathan A. Kollasch | Files touched by this commit (2) | |
Log message:
update openafs to 1.6.15
OpenAFS 1.6.15 (Security Release)
All client and server platforms
* Fix for OPENAFS-SA-2015-007 "Tattletale"
When constructing an Rx acknowledgment (ACK) packet, Andrew-derived
Rx implementations do not initialize three octets of data that are
padding in the C language structure and were inadvertently included
in the wire protocol (CVE-2015-7762). Additionally, OpenAFS Rx in
versions 1.5.75 through 1.5.78, 1.6.0 through 1.6.14, and 1.7.0
through 1.7.32 include a variable-length padding at the end of the
ACK packet, in an attempt to detect the path MTU, but only four octets
of the additional padding are initialized (CVE-2015-7763).
|
| 2015-09-29 18:58:02 by Jonathan A. Kollasch | Files touched by this commit (2) | |
Log message:
Update openafs to 1.6.14.
User-Visible OpenAFS Changes
OpenAFS 1.6.10
All platforms
* Don't hide the "version" subcommand in help output (11214)
* Documentation improvements (11126 11216 11222 11223 11225 11226)
* Improved diagnostics and error messages (11154 11246 11247 11249 11181
11182 11183)
* Build system improvements (11158 11221 11224 11225 11227..11241 11282
11342 11350 11353 11242 11367 11392)
* Avoid potentially erratic behaviour under certain error conditions by
either avoiding or at least not ignoring them, in various places (11008
11010..11065 11112 11148 11196 11530)
FreeBSD
* Support releases 9.3 and 10.1 (11368 11369 11402 11403 11404)
* Makes a disk cache more likely to work on FreeBSD, though such
configurations remain not very tested (11448)
All server platforms
* Added volscan(8) (11252..11280 11387 11388)
* Fixed a bug causing subgroups not to function correctly if their
ptdb entry had more than one continuation entry (11352)
* Logging improvements (10946 11153)
* Allow log rotation via copy and truncate (11193)
* Avoid a server crash during startup only observed on a single platform
and when using a 3rd party library under certain circumstances, which is
a collateral effect of the security improvements introduced in OpenAFS
release 1.6.5 (11075) (RT #131852)
All client platforms
* Raised the free space reported for /afs to the maximum possible value of
just under 2 TiB - the old value was 9 GiB on most platforms (10984)
* Reduced the amount of stack space used (11162 11163 11203 11164..11167
11338 11339 11364..11366 11381)
* Sped up a periodic client task which could be problematically slow
on systems with a large number of PAGs and files in use (11307)
* Fixed failure of the up command with large ACLs (11111)
* Avoid a potential crash of aklog (11218)
* Avoid potential crashes of scout and xstat_fs_test (11155)
Linux clients
* Support kernels up to 3.16 (11308 11309)
* Fixed a regression introduced in OpenAFS release 1.6.6 that made
checking for existing write locks incorrectly fail on readonly volumes
(11361)
* Fixed a regression introduced in OpenAFS release 1.6.8 that could
cause VFS cache inconsistencies when a previously-accessed directory
entry was removed and recreated with the same name but pointing to a
different file on another client (11358)
* Use the right path to depmod in Red Hat packaging to avoid dependency
calculation incorrectly failing unless a link /sbin -> /usr/sbin is
present on the system performing it (11171) (RT #131860)
* Do not ignore kernel module build errors (11205)
User-Visible OpenAFS Changes
OpenAFS 1.6.11
All platforms
* Allow aklog to succeed creating native K5 tokens even when mapping
the K5 principal to a K4 one fails (11538)
* Build fixes (11435 11636)
All client platforms
* Avoid a potential kernel panic due to connection reference overcounts
(11645) (RT #131885)
* Avoid potential corruption of files written using memory mapped I/O
when the file is larger than the cache (11656) (RT #131976)
Linux clients
* Support kernels at least up to 3.19 (11549 11550 11569 11570 11595
11658..11662 11694 11752)
Note: By default this excludes kernels 3.17 to 3.17.2, which will leak
an inode reference when an error occurs in d_splice_alias(). The
module will build and work, but leak kernel memory, leading to
performance degradation and eventually system failure due to
memory exhaustion. Since it's impossible to detect this condition
automatically, the switch --enable-linux-d_splice_alias-extra-iput
must be passed to configure when building the module for those
kernels. The same would be necessary for any kernel with backports
of commit 908790fa3b779d37365e6b28e3aa0f6e833020c3 or commit
95ad5c291313b66a98a44dc92b57e0b37c1dd589 but not the fix in commit
51486b900ee92856b977eacfc5bfbe6565028070 in the linux-stable repo
(git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git) or
the corresponding changes on other branches.
* Fixed a regression introduced in OpenAFS release 1.6.10 which could
make the spurious "getcwd: cannot access parent directories" problem
return (11558 11568) (RT #131780)
* Avoid leaking memory when scanning a corrupt directory (11707)
OS X clients
* Support OS X 10.10 "Yosemite" (11571 11572 11611) (RT #131946)
Solaris clients
* Avoid reading random data rather than correct cache content when using
ZFS as the cache file system on Solaris >= 11, and fix potential similar
problems on other platforms (11713 11714)
FreeBSD
* Build fix for releases >= 11.0 (11610)
OpenBSD
* Support release 5.4 (11700)
User-Visible OpenAFS Changes
OpenAFS 1.6.11.1
Linux clients
* Support kernels up to 4.0 (11760 11761)
FreeBSD clients
* Fixed kernel module build on systems with an updated clang which no
longer accepts the -mno-align-long-strings as a no-op (11809)
User-Visible OpenAFS Changes
OpenAFS 1.6.12
All server platforms
* Avoid database corruption if a database server is shut down and then
brought up again quickly with an altered database (11773 11774)
(RT #131997)
All client platforms
* Fixed a potential buffer overflow in aklog (11808)
* Avoid a bogus warning regarding the checkserver daemon, which could be
logged during startup when the cache initialization was very fast (11680)
* Added documentation of the inaccuracy of the 'partition' field in
'fs listquota' output for partitions larger than 2 TiB (11626)
Linux clients
* Support kernels up to 4.1 (11872 11873)
* Avoid spurious EIO errors when writing large chunks of data to
mmapped files (11877)
OS X
* Build fixes required at least on OS X 10.10 Yosemite with the latest
XCode (11859 11876 11842..11845 11863 11878 11879)
User-Visible OpenAFS Changes
OpenAFS 1.6.13
All server platforms
* Fix for CVE-2015-3282: vos leaks stack data onto the wire in the
clear when creating vldb entries
* Workaround for CVE-2015-3283: bos commands can be spoofed, including
some which alter server state
* Disabled searching the VLDB by volume name regular expression to avoid
possible buffer overruns in the volume location server
All client platforms
* Fix for CVE-2015-3284: pioctls leak kernel memory
* Fix for CVE-2015-3285: kernel pioctl support for OSD command passing
can trigger a panic
Solaris clients
* Fix for CVE-2015-3286: Solaris grouplist modifications for PAGs can
panic or overwrite memory
User-Visible OpenAFS Changes
OpenAFS 1.6.14
All server platforms
* Prior to the OpenAFS security release 1.6.13, the Volume Location
Server (vlserver) RPC VL_ListAttributesN2() supported wildcard volume
name lookups via regular expression (regex) pattern matching. This
support was completely disabled in 1.6.13 because it was judged to be
a security risk due to buffer overruns in the implementation, as well
as the possibility of denial of service attacks where certain regular
expressions could cause excessive CPU usage in some regex
implementations.
Unfortunately, after 1.6.13 was released, it was discovered that
the native OpenAFS 'backup' system uses the VL_ListAttributesN2()
regex support to evaluate configured volume sets. If you use the
OpenAFS 'backup' system (or another backup system which relies on it,
such as Tivoli Storage Manager (TSM, aka Tivoli ADSM)), and are using
volume sets which require regular expressions for the volume name,
then those volume sets cannot be resolved by OpenAFS 1.6.13. The next
paragraph provides details on how to identify any affected volume sets.
OpenAFS backup volume sets may be described by fileserver, partition
name, and volume name. The fileserver and partition specifications
never require regular expression support. The volume name specification
always requires regular expression support except for when specifying
_all_ volumes via two special cases: the universal wildcard \
".*", or "".
For example, volume name "proj" or "*.backup" or \
"homevol.*" all
require regex support - even if the specification contains no wildcard
characters and/or exactly matches an existing volume name.
As a result of this issue, OpenAFS 1.6.14 replaces the 1.6.13 changes
to VL_ListAttributesN2. 1.6.14 prevents the buffer overruns and
reenables the regex support, but restricts it to OpenAFS super-users
and -localauth only. This is sufficient to restore the OpenAFS 'backup'
system's ability to work correctly with any previously supported volume
set. The OpenAFS 'backup' commands are already documented to require
super-user authorization, so this restriction is moot for the backup
system.
There are no other direct consumers of the VL_ListAttributesN2() regex
support in the OpenAFS tree. However, the VL_ListAttributesN2 RPC is
publicly accessible and might be used by third party tools directly or
indirectly via OpenAFS's libadmin. Any such tools that issue
VL_ListAttributesN2 RPCs must now be executed using super-user or
-localauth tokens.
None of the other security fixes in OpenAFS 1.6.13 are known to have
any issues, and are still included unchanged in OpenAFS 1.6.14.
If there are any questions concerning the possible impact of OpenAFS
1.6.13 or 1.6.14 at your site, please contact your OpenAFS support
provider or the openafs-info@openafs.org mailing list for further
assistance.
|
| 2014-06-13 01:44:04 by Tracy Di Marco White | Files touched by this commit (2) |
Log message:
Upgrade to OpenAFS 1.6.9
OpenAFS 1.6.9
All server platforms
* Fix for OPENAFS-SA-2014-002
OpenAFS 1.6.8
All platforms
* Documentation improvements (10751 10875 10931 10897 10883 10954 10955)
* Improved diagnostics and error messages (10756 10814 10949)
* Fixed a bug in RX that could make errors during packet reception go
unnoticed. (10733)
* Fixed a bug that made "vos size -dump" display the wrong size for
large volumes. (10933) (RT #131819)
All server platforms
* Change the default fileserver sync behavior from "delayed" to \
"onclose".
This means that explicit syncing only happens when a volume is detached.
(10809)
* Added the -offline-timeout and -offline-shutdown-timeout options to the
fileserver, to implement interrupting clients accessing volumes we are
trying to take offline. (6266 10799)
|
New packages: