Subject: | |
From: | |
Reply To: | |
Date: | Wed, 21 Mar 2007 12:19:41 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
All,
the OpenAFS project yesterday issued a security advisory. In short,
allowing the client to honor the setuid bit is not secure, but that's the
default setting for the local cell.
For details, see
http://openafs.org/security/OPENAFS-SA-2007-001.txt
The issue is also explained in debian's advisory, maybe a bit simpler:
http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00026.html
With OpenAFS 1.4.4, the default was now changed to not honor suid even for
the local cell. Applying this change to older releases (1.2.13, 1.4.1) is
simple, and this is what others (debian, mandriva) have done for their
errata.
Alas, this is not just a bug fix: There are sites where things will break,
and I wonder whether (and if, how) such updates should be pushed out for
SL3&4, especially since the workaround is quite simple.
Any opinions?
Stephan
--
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany
|
|
|