LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

March 2007

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL March 2007

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	OpenAFS security issue
From:	Stephan Wiesand <[log in to unmask]>
Reply To:	Stephan Wiesand <[log in to unmask]>
Date:	Wed, 21 Mar 2007 12:19:41 +0100
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (33 lines)

All,

the OpenAFS project yesterday issued a security advisory. In short,
allowing the client to honor the setuid bit is not secure, but that's the 
default setting for the local cell.

For details, see

http://openafs.org/security/OPENAFS-SA-2007-001.txt

The issue is also explained in debian's advisory, maybe a bit simpler:

http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00026.html

With OpenAFS 1.4.4, the default was now changed to not honor suid even for 
the local cell. Applying this change to older releases (1.2.13, 1.4.1) is 
simple, and this is what others (debian, mandriva) have done for their 
errata.

Alas, this is not just a bug fix: There are sites where things will break,
and I wonder whether (and if, how) such updates should be pushed out for 
SL3&4, especially since the workaround is quite simple.

Any opinions?

   Stephan

-- 
Stephan Wiesand
   DESY - DV -
   Platanenallee 6
   15738 Zeuthen, Germany

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV