-
openafs (1.6.7-1ubuntu1~ubuntu12.04.1) precise-backports; urgency=medium
* No-change backport to precise (LP: #1442235)
- Adapt debian/control for correct build on Precise
-- Louis Bouchard <email address hidden> Tue, 07 Apr 2015 17:29:26 +0200
-
openafs (1.6.7-1~ubuntu12.04.2) precise-backports; urgency=medium
* Move all Build-Depends-Indep to Build-Depends to work around a bug
in debhelper.
-- Felix Geyer <email address hidden> Thu, 05 Jun 2014 19:46:02 +0200
-
openafs (1.6.7-1~ubuntu12.04.1) precise-backports; urgency=medium
* No-change backport to precise (LP: #1324288)
openafs (1.6.7-1) unstable; urgency=high
* New upstream security release.
- OPENAFS-SA-2014-001: Fix potential buffer overflow in the
fileserver. (CVE-2014-0159)
- Fix a potential DoS attack against Rx servers by avoiding suspending
the listener thread when delaying connection abort messages.
openafs (1.6.6-1) unstable; urgency=low
* New upstream release.
- Remove server-side NAT pings since there's no evidence they help.
* Fix linking of /usr/share/doc directories for libpam-openafs-kaserver,
openafs-fuse, and openafs-kpasswd. This was broken in previous
releases by a miswritten debian/rules override. Thanks to Andreas
Beckmann for finding the problem and solution. (Closes: #736305)
* Accept AFS_DYNROOT=true as an alias for Yes in afs.conf.client,
matching behavior of releases prior to 1.6.2.1-1. (Closes: #729353)
openafs (1.6.6~pre2-1) unstable; urgency=low
* New upstream pre-release.
- Linux kernels up to 3.12 are now supported, including kernels with
user namespace support enabled (which affects Debian's 3.12-1 kernel
and newer).
- Fixed core dumps into AFS with current kernels.
- When starting the client fails, backing device information created
in sysfs is now properly cleared.
- The AFS mountpoint specified in the cacheinfo file must now be an
absolute path.
- Stop tracking file locks on read-only volumes. Write locks always
fail and read locks always succeed.
- New fs flushall command to discard all cached data.
- Fixed a bug that could cause the client to incorrectly believe its
cache was up to date.
- New -rxmaxfrags switch to afsd to limit the number of UDP fragments
sent or received per RX packet.
- Fixed afsd threads entering an infinite loop.
- The file server now ignores any vice partitions with a NeverAttach
flag file present in the root directory.
- Enabled server-side NAT pings to refresh NAT timeouts.
- Forcing file server CPS recalculation (for IP ACLs) is now
restricted to administrators.
- vos examine of a volume in a transaction is now shown as busy again
rather than off-line.
- Multiple bug fixes to the salvager.
- Fixed a bug that could cause state information to be discarded when
restarting a large or busy file server.
- Fixed a vlserver bug during file server address registration.
- volserver supports a new -preserve-vol-stats option, which preserves
access statistics across volume restore and reclone operations.
- Releasing a volume after adding a new RO site no longer touches the
existing RO sites if the volume has not changed since the last
release.
- Fixed undefined ptserver behavior with too many allocated PTS ids.
- Avoid redefining assert in public header files.
- Documentation, diagnostics, and error message improvements.
openafs (1.6.5.2-1) unstable; urgency=medium
* New upstream release.
- Fix support for tmpfs as the cache filesystem.
- Support kernels with backported changes affecting getname/putname.
* Exit successfully in the openafs-client init script if /sbin/afsd
doesn't exist, indicating that openafs-client is not installed.
* Load /lib/lsdb/init-functions in the openafs-client init script as the
first step towards upstart or systemd support.
* Update standards version to 3.9.5 (no changes required).
openafs (1.6.5.1-1) unstable; urgency=low
* New upstream release.
- Support for Linux 3.11 and 3.12 (up to 3.12-rc3).
- Fixed core dumps into AFS with some Linux kernels.
* Cherry-pick additional upstream fixes.
- [7242e25a] Fix library ordering when building aklog.
- [514fc63d] Fix budb crash when the -servers command-line option
is given. (Closes: #718253)
* Ignore errors when reading ThisCell in the openafs-client config
script. If the file doesn't end in a newline, read will still succeed
and set the variable, but will exit with a non-zero status. This
would abort configuration of the package without a useful error
message.
* Drop Recommends of libjs-jquery in openafs-doc. We're no longer
replacing the embedded jQuery, pending a better fix in the Doxygen
packaging.
* Optimize the get-orig-source target. Thanks, Anders Kaseorg.
* Translation updates:
- German, thanks Erik Pfannenstein. (Closes: #719154)
openafs (1.6.5-1) unstable; urgency=high
* New upstream release.
- OPENAFS-SA-2013-003: New support for non-DES enctypes in the
long-lived AFS key. This requires deploying rxkad.keytab files on
each server containing all of the encryption types for the cell AFS
key. Once this is deployed on servers, DES will only be used for
the session key. Once deployed on all clients, a stronger security
mechanism will be used that allows the DES keys to be removed from
the AFS principal in the Kerberos KDC (but still uses DES for some
session encryption purposes). (CVE-2013-4134)
- OPENAFS-SA-2013-004: Properly support the -encrypt option in vos,
including with -localauth. (CVE-2013-4135)
* Move the documentation and kernel module build dependencies to
Build-Depends-Indep and only do those parts of the build if building
architecture-independent packages.
* Drop the sequence numbers from the openafs-client init script
registration. Debian now always uses dependency-based boot ordering.
* Translation updates:
- Japanese, thanks victory. (Closes: #714223)
openafs (1.6.4-1) unstable; urgency=low
* New upstream release.
openafs (1.6.3-1) unstable; urgency=low
* New upstream release.
- Support for Linux 3.9 and 3.10. (Closes: #711920)
- Multiple fixes for use after free, use of uninitialized memory,
and similar C memory management bugs found via code analysis.
- Obey jumbo/nojumbo settings for Ubik (database) servers.
- General improvements in diagnostic and log messages.
- Avoid incorrectly sending small amounts of data over the wire
unencrypted in some situations and report the correct error message
in this case.
- Avoid generating duplicate IDs for readonly and backup volumes.
- Return quota and free space information without an access check.
- Improve client bookkeeping in the file server, fixing several
potential corruption and segfault issues.
- Avoid known cases of silent data corruption in background syncs in
the file server.
- Run-time configuration support for fileserver synchronization.
- Fix transient network error interference with establishing a ubik
quorum.
- Do not discard the persistent client disk cache on restart.
- Fix bugs that made it impossible to unmount a disk cache file system
after it had been used by the client.
* Give openafs-dbserver its own documentation directory rather than
linking it to openafs-client, allowing relaxation of the versioned
dependency on openafs-client to Recommends. (However, openafs-client
will still have to be installed for the openafs-fileserver init
script, which uses the bos binary, so will still be pulled in by
dependencies.)
* Cleanup of the openafs-client postinst script.
- Perform all work unconditionally to handle various rare error
recovery cases properly.
- Only force creation of CellServDB on initial installation or if
AFSDB/SRV records are not being used.
* Remove openafs-fileserver postinst support for upgrades from ancient
versions (1.4.4.dfsg1-4 and 1.4.11+dfsg-3).
* General coding style cleanup of maintainer scripts.
openafs (1.6.2.1-2) unstable; urgency=low
* Upload to unstable.
* Translation updates:
- Brazilian Portuguese, thanks Albino B Neto. (Closes: #706627)
openafs (1.6.2.1-1) experimental; urgency=low
* New upstream release.
- Support for Linux 3.8.
* Support configuring -dynroot-sparse via debconf. The AFS_DYNROOT
option in /etc/openafs/afs.conf.client is now tri-valued instead of a
boolean, and the boolean values will be mapped to the corresponding
options on upgrade. Based on work by Jakob Haufe. (Closes: #644564)
* Translation updates:
- Czech, thanks Martin Šín. (Closes: #705013)
- Russian, thanks Yuri Kozlov. (Closes: #705159)
- French, thanks Christian Perrier. (Closes: #705296)
- Portuguese, thanks Miguel Figueiredo. (Closes: #705307)
- Danish, thanks Joe Hansen. (Closes: #705660)
- Italian, thanks Beatrice Torracca. (Closes: #705864)
openafs (1.6.2-1) experimental; urgency=low
* New upstream release.
- OPENAFS-SA-2013-001: Fix fileserver buffer overflow when parsing
client-supplied ACL entries and protect against client parsing of
bad ACL entries. (CVE-2013-1794)
- OPENAFS-SA-2013-002: Fix ptserver buffer overflow via integer
overflow in the IdToName RPC. (CVE-2013-1795)
- Fix aklog warning about allow_weak_crypto.
* Update CellServDB to the 2013-01-28 version.
* Fix DKMS builds of the OpenAFS kernel module for amd64 kernels on the
i386 architecture by parsing the kernel version for the architecture
and kernel class and using that to tell the OpenAFS build system what
sysname to use. Patch from Thorsten Alteholz.
* Avoid re-running setup after build when building modules from the
openafs-modules-source package with module-assistant. This will
hopefully avoid an issue where, following an upgrade of
openafs-modules-source, module-assistant cannot build new module
packages without an intervening module-assistant clean. Patch from
Thorsten Alteholz. (Closes: #660622)
* Make another attempt at suppressing the wildcard action for building
debian/rules to fix problems building module packages using
make-kpkg. Patch from Thorsten Alteholz. (Closes: #639475)
openafs (1.6.2~pre3-1) experimental; urgency=low
* New upstream prerelease.
- Avoid unnecessary panic in kernel module when freeing vcaches.
- Add additional objects to the *_pic libraries in support of the AFS
Perl bindings.
* Remove unnecessary change to the upstream Debian packaging files to
support armhf. These files aren't used during a package build, so no
need to carry a Debian patch.
openafs (1.6.2~pre2-2) experimental; urgency=low
* Restore include of <sys/param.h> in userspace builds of rx/rx_packet.h
to get a definition of MIN and MAX on, at least, powerpc. Thanks,
Andrew Deason.
openafs (1.6.2~pre2-1) experimental; urgency=low
* New upstream prerelease.
- Support Linux kernels up to 3.7. (Closes: #685973)
- Fix fileservers to properly report >2 TiB partitions.
- Fix stale volume info from vos examine on non-DAFS filservers.
- Fix possible volume corruption with vos convertROtoRW.
- Fix bosserver to preserve all command-line options over restart.
- Fix bosserver to properly kill hung processes during shutdown.
- Fixes for memcache, especially on Solaris.
- Increase the size of the DNS resolver answer buffer to allow sites
with a long response list to use SRV and AFSDB records.
- Fix possible abuse of fs mkmount. In previous versions, users could
crash a client by nesting volume mounts.
- Fix client page cache corruption on Linux. When multiple clients
read and write to a file, the reading client may see first couple
bytes of a file as nulls.
- Support newer glibc versions.
* Build-Depend on hardening-wrapper and enable it to work around the
current upstream munging of CFLAGS and LDFLAGS. (Closes: #659663)
* Fix server installation instructions in README.servers, which used the
early demand-attach syntax before separate demand-attach binaries were
built. Thanks, Björn Torkelsson. (Closes: #693311)
* Remove the symlink from the openafs-fileserver doc directory to the
openafs-client doc directory. We used to install this symlink and
share doc directories, but this stopped in 1.4.12+dfsg-1. However,
dpkg doesn't remove symlinks to a directory, so systems that had
upgraded from the older package were overwriting openafs-client doc
files with the openafs-fileserver versions. Thanks, Andreas
Beckmann. (Closes: #694063)
* Switch to xz compression for the upstream tarball, Debian tarball, and
binary packages.
* Remove debian/import-upstream and change README.source to document
using git-import-orig with --upstream-vcs-tag instead.
* Move single-debian-patch to local-options and patch-header to
local-patch-header so that they only apply to the packages I build and
NMUs get regular version-numbered patches.
* Update Vcs-* URLs for the new anonscm.debian.org URL layout.
* Update standards version to 3.9.4 (no changes required).
openafs (1.6.1-2) unstable; urgency=low
* Translation updates:
- Fix German translation encoding. Thanks, Christian PERRIER.
(Closes: #678736)
- Italian, thanks Beatrice Torracca. (Closes: #671640)
-- Felix Geyer <email address hidden> Thu, 05 Jun 2014 19:02:36 +0200
-
openafs (1.6.1-1+ubuntu0.7) precise-security; urgency=low
* SECURITY UPDATE: Apply OPENAFS-SA-2015-007 "Tattletale" patch
(LP: #1513461)
- OPENAFS-SA-2015-007.patch: Rx ACK packets leak plaintext of previous
packets
- CVE-2015-7762
- CVE-2015-7763
-- Klas Mattsson <email address hidden> Thu, 05 Nov 2015 12:50:39 +0100
-
openafs (1.6.1-1+ubuntu0.6) precise-security; urgency=low
* SECURITY UPDATE: Merge security patches from Debian git master
(LP: #1481373)
- CVE-2015-3282.patch: vos leaks stack data onto the wire in the clear
when creating vldb entries
- CVE-2015-3283.patch: bos commands can be spoofed, including some which
alter server state
- CVE-2015-3284.patch: pioctls leak kernel memory contents
- CVE-2015-3285.patch: kernel pioctl support for OSD command passing can
trigger a panic
- CVE-2015-3287.patch: Buffer overflow in OpenAFS vlserver
-- Patrik Lundin <email address hidden> Fri, 07 Aug 2015 15:27:00 +0200
-
openafs (1.6.1-1+ubuntu0.5) precise; urgency=low
* Upstream v3.2.66 porting (LP: #1416375):
- 'd_alias' member of struct dentry has been moved into the 'd_u' union
* Dropped 'single-debian-patch' from debian/source/options
-- Luis Henriques <email address hidden> Thu, 05 Feb 2015 12:44:14 -0600
-
openafs (1.6.1-1+ubuntu0.4) precise-security; urgency=low
* SECURITY UPDATE: Merge security patches from Debian Wheezy:
- OPENAFS-SA-2014-001: Fix potential buffer overflow in the
fileserver. (CVE-2014-0159)
- Fix a potential DoS attack against Rx servers by avoiding suspending
the listener thread when delaying connection abort messages.
- Debian patches and above descriptions from <email address hidden>.
- LP: #1305807
-- Patrik Lundin <email address hidden> Thu, 10 Apr 2014 17:17:53 +0200
-
openafs (1.6.1-1+ubuntu0.3) precise; urgency=low
* 0013-afs-Do-not-skip-flushing-pages-for-dv-0-files.patch:
Fix files with NUL in first 4096 bytes (LP: #1263158)
-- Chris J Arges <email address hidden> Thu, 19 Dec 2013 17:57:47 -0600
-
openafs (1.6.1-1+ubuntu0.2) precise-security; urgency=low
* SECURITY UPDATE: Brute force DES attack permits compromise of AFS cell.
vos -encrypt doesn't encrypt connection data.
Buffer overflows which could cause a serverside denial of service.
- openafs-sa-2013-001.patch: Fix fileserver buffer overflow when parsing
client-supplied ACL entries and protect against client parsing of
bad ACL entries. Thanks to Nickolai Zeldovich.
- openafs-sa-2013-002.patch: Fix ptserver buffer overflow via integer
overflow in the IdToName RPC. Thanks to Nickolai Zeldovich
- 0001-Add-rxkad-server-hook-function-to-decrypt-more-types.patch
- 0002-New-optional-rxkad-functionality-for-decypting-krb5-.patch
- 0003-Integrate-keytab-based-decryption-into-afsconf_Build.patch
- 0004-Derive-DES-fcrypt-session-key-from-other-key-types.patch
- 0005-Move-akimpersonate-to-libauth.patch
- 0006-Clean-up-akimpersonate-and-use-for-server-to-server.patch
- 0007-auth-Do-not-always-fallback-to-noauth.patch
- 0008-Avoid-calling-afsconf_GetLatestKey-directly.patch
- 0009-Reload-rxkad.keytab-on-CellServDB-modification.patch
- 0010-Add-support-for-deriving-DES-keys-to-klog.krb5.patch
- 0011 skipped because it was a version bump
- 0012-ubik-Fix-encryption-selection-in-ugen.patch
- Thanks to Chaskiel Grundman, Alexander Chernyakhovsky, Ben Kaduk,
Andrew Deason, and Michael Meffie for the above patch series.
- swap-libs.patch: Resolve FTBFS with newer toolchains. Thanks to Anders
Kaseorg.
- OPENAFS-SA-2013-001
- OPENAFS-SA-2013-002
- OPENAFS-SA-2013-003
- OPENAFS-SA-2013-004
- CVE-2013-1794
- CVE-2013-1795
- CVE-2013-4134
- CVE-2013-4135
- LP: #1145560
- LP: #1204195
-- Luke Faraone <email address hidden> Tue, 23 Jul 2013 21:11:02 -0400
-
openafs (1.6.1-1+ubuntu0.1) precise-proposed; urgency=low
* Apply upstream deltas for Linux 3.5 (Closes: #685973)
(LP: #1015925):
- [2b33384] Linux 3.4: replace end_writeback with clear_inode
- [5227148] Linux 3.5: encode_fh API change
-- Anders Kaseorg <email address hidden> Thu, 28 Feb 2013 01:14:13 -0500
-
openafs (1.6.1-1) unstable; urgency=low
* New upstream release.
- Do not ignore all InlineBulkStatus errors in file server.
- Support for Linux 3.3 and 3.4.
- Fix incorrect kernel error handling in afs_notify_change.
- Fix locking around RXS_PreparePacket.
-- Russ Allbery <email address hidden> Wed, 28 Mar 2012 17:25:05 -0700
-
openafs (1.6.1~pre1-1) unstable; urgency=low
* New upstream prerelease.
- Install new afsio utility.
- Fixes performance issues in both the client and the server.
- Rate-limit waiting for volume messages in kernel logs.
- Avoid a possible memory allocation issue in ticket data management.
- Disable MTU discovery.
- Reduce the quantity of NAT pings sent by the client.
- Various fixes for demand-attach file servers.
- Fix volume lock violations.
- Report the bosserver -rxbind address in a file.
- Revert process group changes on keyring failure.
- Various fixes for the salvager.
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 03 Jan 2012 02:34:50 +0000
-
openafs (1.6.0-3) unstable; urgency=low
* Apply upstream deltas to fix file corruption issue in file server:
- [c73b6644] viced: disable accelerated copyonwrite
- [4e05bc3b] remove CopyOnWrite2 and unused vars
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 19 Dec 2011 11:05:50 +0000
-
openafs (1.6.0-2) unstable; urgency=low
* Apply upstream deltas for Linux 3.1 and 3.2 (Closes: #649765):
- [f129142] Linux: 3.1: update RCU path walking detection in
permission i_op (Closes: #649996)
- [7f55b45] Linux: d_delete now takes a const argument
- [737a280] Linux: 3.2: Use set_nlink to update i_nlink
- [364fad6] Linux: 3.1: adapt to fsync changes
- [032736b] Linux: make sure backing_dev_info is zeroed
* Add support for armhf. Patch from Konstantinos Margaritis.
(Closes: #645395)
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 12 Dec 2011 12:01:03 +0000
-
openafs (1.6.0-1) unstable; urgency=low
* New upstream stable release.
- Rx NAT pings are not enabled until peer has answered
- Numerous fixes to command argument parsing
- Avoid crashing on host table exhaustion and defer clients instead
- Rx connection reference counting is enabled
- An Rx connection reference count leak is fixed in bulkstat
- Handle unparsable directory objects
- Handle Kerberos credential cache errors in aklog
* Generate stub header files that include the actual system header when
building libuafs instead of symlinking h to the appropriate directory.
Fixes build failures now that Debian has switched to multiarch and
moved some of the system headers. (Closes: #639063, LP #831287)
* Fix another Doxygen call to generate a configuration file, and remove
the generated configuration files after Doxygen runs.
* Update CellServDB to the 2011-08-14 release.
-- Anders Kaseorg <email address hidden> Mon, 12 Sep 2011 07:12:21 +0000
