Unblock request for openafs 1.4.2-6

To: debian-release@lists.debian.org
Subject: Unblock request for openafs 1.4.2-6
From: Russ Allbery <rra@debian.org>
Date: Tue, 20 Mar 2007 19:18:28 -0700
Message-id: <[🔎] 87fy7z8hl7.fsf@windlord.stanford.edu>

Hello folks,

openafs 1.4.2-6 has a security fix for CVE-2007-1507 (DSA-1271-1).  The
CVE was assigned after the package was uploaded.  It also contains fixes
for several other serious bugs that I would really like to get into etch.

Ideally, I would like to just have this package unblocked.  If there are
fixes included that are unacceptable, please let me know ASAP so that I
can prepare an upload for testing-proposed-updates with those changes that
are acceptable.

Changelog and analysis:

openafs (1.4.2-6) unstable; urgency=medium

  * SECURITY: Apply upstream patch to disable setuid status on all cells
    by default.  Prior versions of AFS defaulted to honoring setuid bits
    in the local cell, but since unauthenticated file access in AFS is
    unencrypted, an attacker could forge packets from an AFS file server
    to synthesize a setuid binary in AFS.

This is CVE-2007-1507.  The code change is minimal, but it requires some
explanation so there's a NEWS.Debian addition as well.

  * Apply upstream fix to use a single high-numbered group for the PAG on
    2.6 kernels and sort the group properly.  Fixes AFS-caused group
    ordering problems that could lead the kernel to ignore some group
    membership for users.  (Closes: #414911)

I believe that this is an RC bug since it breaks unrelated software.  This
problem was reported twice and separately raised on debian-devel.  This is
the most complex change in terms of lines of code changed, but it's still
only a few dozen lines of code.  It's in the current upstream release and
I have been using it on my personal workstation (and I use AFS heavily)
for a week without any trouble.

  * Apply upstream fix for segfaults in pts rename.  (Closes: #409184)

This is the least critical of the bug fixes included but it's also the
shortest code change of any of the fixes, only obvious fixes to a couple
lines of code.  Without this fix, several pts operations (chown and
rename) are completely unavailable.

  * Apply upstream fix to show reasonable free space numbers for AFS in
    df.  Without this fix, some programs which use df to check free space
    may think that directories in AFS are full and prevent the user from
    attempting to write files.  (Closes: #415294)

The upstream fix here adds a short new Autoconf probe and makes a minimal
change to one source file to use the results of that change.  Since the
patch includes an Autoconf change, there is a modification to debian/rules
to run regen.sh before running configure (and because of that, we don't
have to separately rebuild the man pages, since regen.sh does that).

  * Translation updates:
    - Dutch, thanks cobaco.  (Closes: #413701)
    - Portuguese, thanks Miguel Figueiredo.  (Closes: #414800)

These are, of course, not critical at all, but since they were already
included in the package and have no risk at all, I included them in this
upload.  I hope that won't be a problem.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Unblock request for openafs 1.4.2-6
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: puppet v0.22.2
Next by Date: New GRUB package suitable for Etch
Previous by thread: Re: puppet v0.22.2
Next by thread: Re: Unblock request for openafs 1.4.2-6
Index(es):
- Date
- Thread