Ubuntu
openafs package

UVF Exeption for OpenAFS 1.4.4 - please sync from debian

Bug #96931 reported by Björn Torkelsson
258
Affects Status Importance Assigned to Milestone
openafs (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Openafs 1.4.4 was released a couple of days ago, and entered Debian experimental today.

I contains a lot of fixes of which the most important ones are:

* SetUID is no longer honored for the local cell by default. The
   "fs setcellstatus" command must be issued for any cell the system
   administrator wishes to allow setuid files in. (OPENAFS-SA-2007-001, CVE 2007-1507)

* Builds with the 2.6.20 kernel.

  The patches I grabbed for 1.4.2-4ubuntu1 made it build with 2.6.20, however I'm not sure they are complete.

* A couple of crashes.

Annonucement with full details at: http://www.openafs.org/pipermail/openafs-announce/2007/000185.html

In my opinion it is better to go with the new upstream version which only requires a sync from debian, than trying to patch 1.4.2-4ubuntu1 further. The changes in -4ubuntu1 can be dropped.

I'm currently testing it and will also build it internally for Dapper and depolying it on our clusters so that we can have a lot more testing.

/torkel

CVE References

Revision history for this message
Björn Torkelsson (torkel) wrote :
Revision history for this message
Björn Torkelsson (torkel) wrote :
Revision history for this message
Björn Torkelsson (torkel) wrote :
Revision history for this message
Björn Torkelsson (torkel) wrote :
Revision history for this message
Andrew Mitchell (ajmitch) wrote :

I'm happy with this, upstream changelog details mostly just bugfixes & importantly a security fix.

Revision history for this message
Paul Sladen (sladen) wrote :

I'm happy to sign this off. 'torkel' did the previous upload of 'openafs' and has been dog-fooding the package. Syncing this from Debian removes several local deltas which is a Good Thing and of course there is the security issue detailed in bug #94787 ("Openafs has a security hole with enabled suid").

Changed in openafs:
status: Unconfirmed → Confirmed
Revision history for this message
Sebastien Bacher (seb128) wrote :

[Updating] openafs (1.4.2-4ubuntu1 [Ubuntu] < 1.4.4-1 [Debian])
 * Trying to add openafs...
  - <openafs_1.4.4-1.dsc: downloading from http://ftp.debian.org/debian/>
  - <openafs_1.4.4.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
  - <openafs_1.4.4-1.diff.gz: downloading from http://ftp.debian.org/debian/>
I: openafs [universe] -> libopenafs-dev_1.4.2-4ubuntu1 [universe].
I: openafs [universe] -> openafs-dbserver_1.4.2-4ubuntu1 [universe].
I: openafs [universe] -> openafs-dbg_1.4.2-4ubuntu1 [universe].
I: openafs [universe] -> openafs-kpasswd_1.4.2-4ubuntu1 [universe].
I: openafs [universe] -> openafs-krb5_1.4.2-4ubuntu1 [universe].
I: openafs [universe] -> openafs-client_1.4.2-4ubuntu1 [universe].
I: openafs [universe] -> openafs-fileserver_1.4.2-4ubuntu1 [universe].
I: openafs [universe] -> openafs-modules-source_1.4.2-4ubuntu1 [universe].
I: openafs [universe] -> libpam-openafs-kaserver_1.4.2-4ubuntu1 [universe].
I: openafs [universe] -> openafs-doc_1.4.2-4ubuntu1 [universe].

Changed in openafs:
importance: Undecided → Wishlist
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.