> On Aug 28, 2025, at 4:30 PM, Cheyenne Wills <[email protected]> wrote: > > The patches for OpenAFS have been submitted for the master branch and > are currently under review. They will be included in an upcomming > 1.8.14pre1, that is still being finalized. > > Again thank's to Jeffery and Marc for their investigative work.
S/Jeffery/Jeffrey/ > I do want to mention that the commit that introduced the bug wasn't yet > in a tagged stable release (though it was in the pending stack for the > upcoming 1.8.14 work). OpenAFS 0306f3fdac736e15620f5802bdce510d25bb2450 was included in packaged and tagged “openafs" releases from both OpenSUSE, Debian, Ubuntu and Fedora. Although it is true that the OpenAFS release team has not tagged a release within the openafs git repository that it manages, Debian, Ubuntu, OpenSUSE and Fedora took 0306f3fdac73 as part of the stack of changes necessary to support 6.14 kernels based upon advice received from openafs developers: https://lists.openafs.org/pipermail/openafs-devel/2025-April/021060.html In my opinion a CVE should be published by OpenAFS referencing the commit which can be referenced by all of the downstream distributions which included it. Jeffrey Altman _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
