--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package autofs/5.1.7-1+deb11u1
- From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Date: Thu, 13 Jul 2023 00:31:03 +0200
- Message-id: <168920106397.53844.5554789678788357642.reportbug@sunobo.fritz.box>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: autofs@packages.debian.org
Control: affects -1 + src:autofs
Two issues have recently been addressed in autofs uploads to unstable.
[ Reason ]
Fixed issues:
* Don't let NFSv4-only mounts use rpcbind portmapper service.
* Fix missing unlock in sasl_do_kinit_ext_cc().
[ Impact ]
Fix autofs hanging for LDAP+Kerberos setups. Avoid communication to
rpcbind for NFSv4-only mounts.
[ Tests ]
Manually, on production site, by bug submitters.
[ Risks ]
Regressions in autofs.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+ * debian/patches:
+ + Add fix-nfs4-only-mounts-should-not-use-rpcbind.patch. Don't let NFSv4-
+ only mounts use rpcbind portmapper service. (Closes: #1034261).
+ + Add fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch. Fix missing unlock
+ in sasl_do_kinit_ext_cc(). (Closes: #1039967).
[ Other info ]
Salvatore Bonnacorso (@carnil) will likely follow up this pu with another
pu. Not sure if he gets around to it before the deadline for the next
11.x point release.
diff -Nru autofs-5.1.7/debian/changelog autofs-5.1.7/debian/changelog
--- autofs-5.1.7/debian/changelog 2021-02-04 13:36:20.000000000 +0100
+++ autofs-5.1.7/debian/changelog 2023-07-10 19:01:17.000000000 +0200
@@ -1,3 +1,13 @@
+autofs (5.1.7-1+deb11u1) bullseye; urgency=medium
+
+ * debian/patches:
+ + Add fix-nfs4-only-mounts-should-not-use-rpcbind.patch. Don't let NFSv4-
+ only mounts use rpcbind portmapper service. (Closes: #1034261).
+ + Add fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch. Fix missing unlock
+ in sasl_do_kinit_ext_cc(). (Closes: #1039967).
+
+ -- Mike Gabriel <sunweaver@debian.org> Mon, 10 Jul 2023 19:01:17 +0200
+
autofs (5.1.7-1) unstable; urgency=medium
* New upstream release.
diff -Nru autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch
--- autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch 1970-01-01 01:00:00.000000000 +0100
+++ autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch 2023-07-05 12:14:29.000000000 +0200
@@ -0,0 +1,45 @@
+From b2571ed0df973a6dc6a8e661874655fa7cecdc37 Mon Sep 17 00:00:00 2001
+From: James Dingwall <james-autofs@dingwall.me.uk>
+Date: Wed, 20 Jul 2022 13:22:38 +0800
+Subject: autofs-5.1.8 - fix missing unlock in sasl_do_kinit_ext_cc()
+
+There is a missing mutex unlock in function sasl_do_kinit_ext_cc(),
+fix it.
+
+Signed-off-by: James Dingwall <james-autofs@dingwall.me.uk>
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+# CHANGELOG | 1 +
+ modules/cyrus-sasl.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+#diff --git a/CHANGELOG b/CHANGELOG
+#index 1f7c93a..e0b285d 100644
+#--- a/CHANGELOG
+#+++ b/CHANGELOG
+#@@ -27,6 +27,7 @@
+# - add autofs_strerror_r() helper for musl.
+# - update configure.
+# - handle innetgr() not present in musl.
+#+- fix missing unlock in sasl_do_kinit_ext_cc().
+#
+# 19/10/2021 autofs-5.1.8
+# - add xdr_exports().
+diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c
+index ae046e0..738e363 100644
+--- a/modules/cyrus-sasl.c
++++ b/modules/cyrus-sasl.c
+@@ -721,6 +721,10 @@ sasl_do_kinit_ext_cc(unsigned logopt, struct lookup_context *ctxt)
+
+ debug(logopt, "Kerberos authentication was successful!");
+
++ status = pthread_mutex_unlock(&krb5cc_mutex);
++ if (status)
++ fatal(status);
++
+ return 0;
+
+ out_cleanup_def_princ:
+--
+cgit
+
diff -Nru autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch
--- autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch 1970-01-01 01:00:00.000000000 +0100
+++ autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch 2023-07-05 12:14:29.000000000 +0200
@@ -0,0 +1,97 @@
+From 80845bbcbc264f19c6c6a81d680e1f2b1ea6d3cc Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Sun, 31 Oct 2021 07:36:16 +0800
+Subject: autofs-5.1.8 - fix nfsv4 only mounts should not use rpcbind
+
+Commit 606795ecfaa1 ("autofs-5.1.7 - also require TCP_REQUESTED when
+setting NFS port" together with commit 26fb6b5408be) caused NFSv4 only
+mounts to also use rpcbind to probe availability which breaks the
+requirememt that this type of mount not use rpcbind at all.
+
+Fix this by treating fstype=nfs4 mounts as a special case which doesn't
+use rpcbind.
+
+Signed-off-by: Ian Kent <raven@themaw.net>
+---
+# CHANGELOG | 1 +
+ include/replicated.h | 2 ++
+ modules/mount_nfs.c | 13 +++++++------
+ modules/replicated.c | 4 ++--
+ 4 files changed, 12 insertions(+), 8 deletions(-)
+
+#diff --git a/CHANGELOG b/CHANGELOG
+#index 575f186..4e5e82d 100644
+#--- a/CHANGELOG
+#+++ b/CHANGELOG
+#@@ -8,6 +8,7 @@
+# - dont fail on duplicate offset entry tree add.
+# - fix loop under run in cache_get_offset_parent().
+# - bailout on rpc systemerror.
+#+- fix nfsv4 only mounts should not use rpcbind.
+#
+# 19/10/2021 autofs-5.1.8
+# - add xdr_exports().
+--- a/include/replicated.h
++++ b/include/replicated.h
+@@ -35,6 +35,8 @@
+ #define NFS3_REQUESTED NFS3_SUPPORTED
+ #define NFS4_REQUESTED NFS4_SUPPORTED
+
++#define NFS4_ONLY_REQUESTED 0x0800
++
+ #define TCP_SUPPORTED 0x0001
+ #define UDP_SUPPORTED 0x0002
+ #define TCP_REQUESTED TCP_SUPPORTED
+--- a/modules/mount_nfs.c
++++ b/modules/mount_nfs.c
+@@ -92,7 +92,7 @@
+ mount_default_proto = defaults_get_mount_nfs_default_proto();
+ vers = NFS_VERS_DEFAULT | NFS_PROTO_DEFAULT;
+ if (strcmp(fstype, "nfs4") == 0)
+- vers = NFS4_VERS_DEFAULT | TCP_SUPPORTED;
++ vers = NFS4_VERS_DEFAULT | TCP_SUPPORTED | NFS4_ONLY_REQUESTED;
+ else if (mount_default_proto == 4)
+ vers = vers | NFS4_VERS_DEFAULT;
+
+@@ -157,15 +157,16 @@
+ } else {
+ /* Is any version of NFSv4 in the options */
+ if (_strncmp("vers=4", cp, 6) == 0 ||
+- _strncmp("nfsvers=4", cp, 9) == 0)
+- vers = NFS4_VERS_MASK | TCP_SUPPORTED;
+- else if (_strncmp("vers=3", cp, o_len) == 0 ||
++ _strncmp("nfsvers=4", cp, 9) == 0) {
++ vers &= ~(NFS_VERS_MASK);
++ vers |= NFS4_VERS_MASK | TCP_SUPPORTED | NFS4_ONLY_REQUESTED;
++ } else if (_strncmp("vers=3", cp, o_len) == 0 ||
+ _strncmp("nfsvers=3", cp, o_len) == 0) {
+- vers &= ~(NFS4_VERS_MASK | NFS_VERS_MASK);
++ vers &= ~(NFS4_VERS_MASK | NFS_VERS_MASK | NFS4_ONLY_REQUESTED);
+ vers |= NFS3_REQUESTED;
+ } else if (_strncmp("vers=2", cp, o_len) == 0 ||
+ _strncmp("nfsvers=2", cp, o_len) == 0) {
+- vers &= ~(NFS4_VERS_MASK | NFS_VERS_MASK);
++ vers &= ~(NFS4_VERS_MASK | NFS_VERS_MASK | NFS4_ONLY_REQUESTED);
+ vers |= NFS2_REQUESTED;
+ } else if (strstr(cp, "port=") == cp &&
+ o_len - 5 < 25) {
+--- a/modules/replicated.c
++++ b/modules/replicated.c
+@@ -248,7 +248,7 @@
+
+ rpc_info->proto = proto;
+ if (port < 0) {
+- if (version & NFS4_REQUESTED)
++ if (version & NFS4_REQUESTED && (version & NFS4_ONLY_REQUESTED))
+ rpc_info->port = NFS_PORT;
+ else
+ port = 0;
+@@ -510,7 +510,7 @@
+ {
+ struct conn_info pm_info, rpc_info;
+ time_t timeout = RPC_TIMEOUT;
+- unsigned int supported, vers = (NFS_VERS_MASK | NFS4_VERS_MASK);
++ unsigned int supported, vers = (NFS_VERS_MASK | NFS4_VERS_MASK | NFS4_ONLY_REQUESTED);
+ int ret = 0;
+
+ if (!check_address_proto(logopt, host, version))
diff -Nru autofs-5.1.7/debian/patches/series autofs-5.1.7/debian/patches/series
--- autofs-5.1.7/debian/patches/series 2021-02-04 13:13:20.000000000 +0100
+++ autofs-5.1.7/debian/patches/series 2023-07-05 12:14:29.000000000 +0200
@@ -9,3 +9,5 @@
spelling-error-fixes.patch
fix-lookup-ldap-crash.patch
fix-nfs4-mounts-in-auto-net.patch
+fix-nfs4-only-mounts-should-not-use-rpcbind.patch
+fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch
--- End Message ---