The OpenAFS Release Team is pleased to announce the availability of OpenAFS version 1.6.14 for UNIX/Linux. Source files can be accessed via the web at:
http://www.openafs.org/dl/openafs/1.6.14/ or via AFS at: /afs/grand.central.org/software/openafs/1.6.14/ \\afs\grand.central.org\software\openafs\1.6.14\ There are no binaries yet. Those will be uploaded as they become available. OpenAFS 1.6.14 is the next in the current series of stable releases of OpenAFS for all platforms except Microsoft Windows. It fixes a single issue introduced in the previous release: Prior to the OpenAFS security release 1.6.13, the Volume Location Server (vlserver) RPC VL_ListAttributesN2() supported wildcard volume name lookups via regular expression (regex) pattern matching. This support was completely disabled in 1.6.13 because it was judged to be a security risk due to buffer overruns in the implementation, as well as the possibility of denial of service attacks where certain regular expressions could cause excessive CPU usage in some regex implementations. After 1.6.13 was released, it was discovered that the native OpenAFS 'backup' system uses the VL_ListAttributesN2() regex support to evaluate configured volume sets. As a result of this issue, OpenAFS 1.6.14 replaces the 1.6.13 changes to VL_ListAttributesN2. 1.6.14 prevents the buffer overruns and reenables the regex support, but restricts it to OpenAFS super-users and -localauth only. This is sufficient to restore the OpenAFS 'backup' system's ability to work correctly with any previously supported volume set. The OpenAFS 'backup' commands are already documented to require super-user authorization, so this restriction is moot for the backup system. For more details please see http://dl.openafs.org/dl/1.6.14/RELNOTES-1.6.14 Bug reports should be filed to [email protected] . Stephan Wiesand, 1.6 Branch Release Manager, for the OpenAFS Release Team _______________________________________________ OpenAFS-announce mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-announce
