Upstream has issued advisories on March 16: http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt The issues are fixed in version 1.6.17. Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated openafs packages fix security vulnerabilities: In OpenAFS before 1.6.17, users from foreign Kerberos realms can create groups as if they were administrators (CVE-2016-2860). In OpenAFS before 1.6.17, information leakage over the network due to uninitialized memory (OPENAFS-SA-2016-002). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2860 http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt http://dl.openafs.org/dl/1.6.16/RELNOTES-1.6.16 http://dl.openafs.org/dl/1.6.16/RELNOTES-1.6.17 https://lists.openafs.org/pipermail/openafs-announce/2015/000495.html https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html ======================== Updated packages in core/updates_testing: ======================== openafs-1.6.17-1.mga5 openafs-client-1.6.17-1.mga5 openafs-server-1.6.17-1.mga5 libopenafs1-1.6.17-1.mga5 libopenafs-devel-1.6.17-1.mga5 libopenafs-static-devel-1.6.17-1.mga5 dkms-libafs-1.6.17-1.mga5 openafs-doc-1.6.17-1.mga5 from openafs-1.6.17-1.mga5.src.rpm
Test procedure: https://wiki.mageia.org/en/Installing_OpenAFS_Client
Whiteboard: (none) => has_procedure
also remember to test that dkms-libafs builds against kernel-4.4.6 in testing
CC: (none) => tmb
In VirtualBox, M5, KDE, 32-bit Package(s) under test: openafs dkms-libafs default install of kernel-desktop586-latest, kernel-desktop586-devel-latest openafs & dkms-libafs [root@localhost wilcal]# uname -a Linux localhost 4.1.15-desktop586-2.mga5 #1 SMP Wed Jan 20 17:06:34 UTC 2016 i686 i686 i686 GNU/Linux [root@localhost wilcal]# urpmi kernel-desktop586-latest Package kernel-desktop586-latest-4.1.15-2.mga5.i586 is already installed [root@localhost wilcal]# urpmi kernel-desktop586-devel-latest Package kernel-desktop586-devel-latest-4.1.15-2.mga5.i586 is already installed [root@localhost wilcal]# urpmi openafs Package openafs-1.6.15-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi dkms-libafs Package dkms-libafs-1.6.15-1.mga5.noarch is already installed System compiles and boots to a working desktop. Common apps work. Screen dimensions are correct. install kernel-desktop586-latest, kernel-desktop586-devel-latest openafs & dkms-libafs from updates_testing [[root@localhost wilcal]# uname -a Linux localhost 4.4.6-desktop586-1.mga5 #1 SMP Wed Mar 16 20:11:36 UTC 2016 i686 i686 i686 GNU/Linux [root@localhost wilcal]# urpmi kernel-desktop586-latest Package kernel-desktop586-latest-4.4.6-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi kernel-desktop586-devel-latest Package kernel-desktop586-devel-latest-4.4.6-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi openafs Package openafs-1.6.17-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi dkms-libafs Package dkms-libafs-1.6.17-1.mga5.noarch is already installed System compiles and boots to a working desktop. Common apps work. Screen dimensions are correct.
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: openafs dkms-libafs default install of kernel-desktop-latest, kernel-desktop-devel-latest, openafs & dkms-libafs [root@localhost wilcal]# uname -a Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:05:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi kernel-desktop-latest Package kernel-desktop-latest-4.1.15-2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi kernel-desktop-devel-latest Package kernel-desktop-devel-latest-4.1.15-2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openafs Package openafs-1.6.15-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi dkms-libafs Package dkms-libafs-1.6.15-1.mga5.noarch is already installed System compiles and boots to a working desktop. Common apps work. Screen dimensions are correct. install kernel-desktop-latest, kernel-desktop-devel-latest, openafs & dkms-libafs from updates_testing [root@localhost wilcal]# uname -a Linux localhost 4.4.6-desktop-1.mga5 #1 SMP Wed Mar 16 20:11:06 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi kernel-desktop-latest Package kernel-desktop-latest-4.4.6-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi kernel-desktop-devel-latest Package kernel-desktop-devel-latest-4.4.6-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi openafs Package openafs-1.6.17-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi dkms-libafs Package dkms-libafs-1.6.17-1.mga5.noarch is already installed System compiles and boots to a working desktop. Common apps work. Screen dimensions are correct.
x86_64 4.4.6-desktop-1.mga5 Installed the packages before update then installed the new packages from update testing. Ran through the setup instructions but could not start the client server. The messages indicated that there was no libafs module to load. Uninstalled dkms-libafs and reinstalled "manually" and watched dkms fail: Building module: cleaning build area....(bad exit status: 2) SMP=SP; eval `grep CONFIG_SMP /boot/config-4.4.6-desktop-1.mga5`; [ -n "$CONFIG_SMP" ] && SMP=MP; ./configure --with-linux-kernel-headers=/lib/modules/4.4.6-desktop-1.mga5/build; make MPS=$SMP; mv src/libafs/MODLOAD-*/libafs.ko ...................................(bad exit status: 1) Error! Bad return status for module build on kernel: 4.4.6-desktop-1.mga5 (x86_64) Consult the make.log in the build directory /var/lib/dkms/libafs/1.6.17-1.mga5/build/ for more information. Error! Could not locate libafs.ko.xz for module libafs in the DKMS tree. You must run a dkms build for kernel 4.4.6-desktop-1.mga5 (x86_64) first. warning: %post(dkms-libafs-1.6.17-1.mga5.noarch) scriptlet failed, exit status 4 ERROR: 'script' failed for dkms-libafs-1.6.17-1.mga5 2/2: openafs ############################################# DKMS make.log for libafs-1.6.17-1.mga5 for kernel 4.4.6-desktop-1.mga5 (x86_64) Sun 20 Mar 17:50:22 GMT 2016 mv: cannot stat âsrc/libafs/MODLOAD-*/libafs.koâ: No such file or directory Tried the reinstallation twice and it failed the same way for both. Help!
CC: (none) => tarazed25
And surely the dkms build of the kernel is done automatically when the kernel is installed?
Check you have kernel-*-devel-latest installed for the new kernel Len.
Yes. That's what puzzles me. I had performed all the checks as outlined in the test procedure and found that everything matched up. /boot/config-4.4.6-desktop-1.mga5 is there and looks OK to me. And there is no libafs.ko in /var/lib/dkms/libafs/1.6.17-1.mga5/build/src/libafs/MODLOAD-4.4.6-desktop-1.mga5-MP. I think the ./configure command is referring to the Makefile in /lib/modules/4.4.6-desktop-1.mga5/build and that this is passed on to make in the next step. So the module is failing to build at that stage. All the links and paths I have traced are in line with 4.4.6-1. So what I would like to do is ".... run a dkms build for kernel 4.4.6-desktop-1.mga5 (x86_64)" again, manually, but don't know how to do that.
I can't really do much until I'm home again but check with # dkms status You sometimes find with kernel modules that installing removing kernels during testing doesn't remove them in the correct sequence and affects builds on the next update. See bug 10771
# dkms status libafs, 1.6.17-1.mga5: added virtualbox, 5.0.16-1.mga5, 4.4.5-desktop-1.mga5, x86_64: installed virtualbox, 5.0.16-1.mga5, 4.4.6-desktop-1.mga5, x86_64: installed virtualbox, 5.0.16-1.mga5, 4.1.15-tmb-desktop-2.mga5, x86_64: installed xtables-addons, 2.10-1.mga5, 4.1.15-2.mga5, x86_64: installed xtables-addons, 2.10-1.mga5, 4.4.4-desktop-1.mga5, x86_64: installed xtables-addons, 2.10-1.mga5, 4.4.5-desktop-1.mga5, x86_64: installed xtables-addons, 2.10-1.mga5, 4.4.6-desktop-1.mga5, x86_64: installed xtables-addons, 2.10-1.mga5, 4.1.15-desktop-2.mga5, x86_64: installed xtables-addons, 2.10-1.mga5, 4.1.15-tmb-desktop-2.mga5, x86_64: installed vboxadditions, 5.0.16-1.mga5, 4.1.15-2.mga5, x86_64: installed vboxadditions, 5.0.16-1.mga5, 4.4.5-desktop-1.mga5, x86_64: installed vboxadditions, 5.0.16-1.mga5, 4.4.6-desktop-1.mga5, x86_64: installed vboxadditions, 5.0.16-1.mga5, 4.1.15-desktop-2.mga5, x86_64: installed vboxadditions, 5.0.16-1.mga5, 4.1.15-tmb-desktop-2.mga5, x86_64: installed
There were a lot more entries. Should I for a start just remove some of the older kernels? Not likely to be used again.
Started removing old kernel modules manually. At some stage there was a prompt about removing orphaned packages which I agreed to and that removed 141 old packages. Removed openafs and reinstalled it and it still fell over at the dkms build stage. Error! Could not locate libafs.ko.xz for module libafs in the DKMS tree. You must run a dkms build for kernel 4.4.6-desktop-1.mga5 (x86_64) first. warning: %post(dkms-libafs-1.6.17-1.mga5.noarch) scriptlet failed, exit status 4 ERROR: 'script' failed for dkms-libafs-1.6.17-1.mga5 Not much choice but to remove the running kernel and reinstall it. The system is broken in other ways. There are no nvidia tools installed for instance.
Spring-cleaned the system and discovered that the nvidia driver had not been running, probably for some time. nouveau had slipped in somehow. Reverted to kernel 4.1.15-desktop-2 and reinstalled openafs. Thelibafs module rebuilt cleanly. Ran the update and again openafs installed properly. About to run through the test procedure.
The tests ran OK, more or less. The report is a bit lengthy.... Having already installed the components and started the setup earlier some parts of the sequence could be skipped but I did find a couple of package mismatches and repaired them. # [ ! -d /afs/ ] && mkdir /afs/ || echo "/afs/ already exists" /afs/ already exists Defined cachesize in /etc/sysconfig/openafs: # cat openafs # OpenAFS Client Configuration AFSD_ARGS="-dynroot -fakestat -afsdb" # OpenAFS Server Configuration BOSSERVER_ARGS= CACHESIZE=512000 Ran these commands to add -nosettime to default afsd parameters: # f=/etc/sysconfig/openafs # sed < ${f} -e s/^AFSD_ARGS=/#AFSD_ARGS=/ -e s/^$/AFSD_ARGS="-dynroot -fakestat -afsdb -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime"/ > ${f}+ # mv -f ${f} /tmp/ && mv ${f}+ ${f} # modprobe libafs && echo AFS kernel module loaded || echo Failed to load libafs AFS kernel module loaded Start AFS client cache manager: # systemctl start openafs-client.service # systemctl status openafs-client.service â openafs-client.service - OpenAFS Client Service Loaded: loaded (/usr/lib/systemd/system/openafs-client.service; enabled) Active: active (running) since Tue 2016-03-22 13:49:57 GMT; 12s ago Process: 10043 ExecStart=/sbin/afsd $AFSD_ARGS (code=exited, status=0/SUCCESS) Process: 10034 ExecStartPre=/sbin/modprobe libafs (code=exited, status=0/SUCCESS) Process: 10032 ExecStartPre=/bin/chmod 0644 /etc/openafs/CellServDB (code=exited, status=0/SUCCESS) Process: 10030 ExecStartPre=/bin/sed -n w/etc/openafs/CellServDB /etc/openafs/CellServDB.local /etc/openafs/CellServDB.dist (code=exited, status=0/SUCCESS) Main PID: 10051 (afsd) CGroup: /system.slice/openafs-client.service ââ10051 /sbin/afsd -dynroot -fakestat -afsdb -stat 2000 -dcache 80... Mar 22 13:49:57 vega afsd[10043]: afsd: All AFS daemons started. Mar 22 13:49:57 vega afsd[10043]: afsd: All AFS daemons started. So far so good.... # df /afs/ Filesystem Size Used Avail Use% Mounted on AFS 2.0T 0 2.0T 0% /afs I guess that must be cloud storage? Installed krb5-workstation-1.12.2-8.3.mga5 And this is where I got stuck -> "Edit /etc/krb5.conf and define for your Kerberos realm" Know nothing about kerberos realms (?). The rest of the test is to do with openafs in action. All I can do is confirm that it all installs and starts up OK. Back in userland here - i.e. not root. Although, there was a response to the nl command. $ nl /afs/grand.central.org/service/CellServDB | head -30 viz. a numbered listing of subscribers. $ wc -l /afs/grand.central.org/service/CellServDB 667 /afs/grand.central.org/service/CellServDB $ cd /afs/grand.central.org/ [lcl@vega grand.central.org]$ ls -l total 18 drwxrwxrwx 3 root root 2048 Jun 2 2009 archive drwxrwxrwx 2 root root 2048 May 6 2006 cvs drwxrwxrwx 3 root root 2048 Mar 21 2003 doc drwxrwxrwx 7 root root 2048 May 7 2006 local drwxrwxrwx 2 root root 2048 Dec 11 2014 project drwxrwxrwx 5 root root 2048 Jan 30 2007 service drwxrwxrwx 2 root root 2048 Dec 31 2008 software drwxrwxrwx 2 root root 2048 Aug 24 2007 user drwxrwxrwx 2 root root 2048 Oct 5 2012 www Check access control rights for directory service: $ fs listacl service Access list for service is Normal rights: system:administrators rlidwka system:anyuser rl Calling it a day and setting OK for 64-bits.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Validating. Advisory todo.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure mga5-32-ok MGA5-64-OKCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure mga5-32-ok MGA5-64-OK => has_procedure mga5-32-ok MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0121.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to David Walser from comment #0) > http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt CVE request: http://openwall.com/lists/oss-security/2016/05/05/17
(In reply to David Walser from comment #17) > (In reply to David Walser from comment #0) > > http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt > > CVE request: > http://openwall.com/lists/oss-security/2016/05/05/17 CVE-2016-4536: http://openwall.com/lists/oss-security/2016/05/05/23
Summary: openafs new security issue CVE-2016-2860 => openafs new security issues CVE-2016-2860 and CVE-2016-4536
CVE-2015-8312 was also fixed in this update: http://lwn.net/Vulnerabilities/689249/