Advisory: This update provides an update to openafs 1.6.22 and adds support for 4.14 series kernels. SRPMS: openafs-1.6.22-1.mga6.src.rpm i586: dkms-libafs-1.6.22-1.mga6.noarch.rpm libopenafs1-1.6.22-1.mga6.i586.rpm libopenafs-devel-1.6.22-1.mga6.i586.rpm libopenafs-static-devel-1.6.22-1.mga6.i586.rpm openafs-1.6.22-1.mga6.i586.rpm openafs-client-1.6.22-1.mga6.i586.rpm openafs-doc-1.6.22-1.mga6.noarch.rpm openafs-server-1.6.22-1.mga6.i586.rpm x86_64: dkms-libafs-1.6.22-1.mga6.noarch.rpm lib64openafs1-1.6.22-1.mga6.x86_64.rpm lib64openafs-devel-1.6.22-1.mga6.x86_64.rpm lib64openafs-static-devel-1.6.22-1.mga6.x86_64.rpm openafs-1.6.22-1.mga6.x86_64.rpm openafs-client-1.6.22-1.mga6.x86_64.rpm openafs-doc-1.6.22-1.mga6.noarch.rpm openafs-server-1.6.22-1.mga6.x86_64.rpm
Debian has issued an advisory on December 17: https://www.debian.org/security/2017/dsa-4067 It was discovered that malformed jumbogram packets could result in denial of service against OpenAFS (CVE-2017-17432). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17432 https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt https://dl.openafs.org/dl/1.6.21/RELNOTES-1.6.21 https://dl.openafs.org/dl/1.6.22/RELNOTES-1.6.22 Mageia 5 is also affected.
Component: RPM Packages => SecurityQA Contact: (none) => securitySummary: 'update request: openafs 1.6.22 => openafs new security issue CVE-2017-17432 (fixed in 1.6.22)
advisory, added to svn: type: security subject: Updated openafs packages fixes security vulnerability CVE: - CVE-2017-17432 src: 6: core: - openafs-1.6.22-1.mga6 description: | This update provides an update to openafs 1.6.22, fixing the following security issue: It was discovered that malformed jumbogram packets could result in denial of service against OpenAFS (CVE-2017-17432). It also adds support for 4.14 series kernels. references: - https://bugs.mageia.org/show_bug.cgi?id=22209 - https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt - https://dl.openafs.org/dl/1.6.21/RELNOTES-1.6.21 - https://dl.openafs.org/dl/1.6.22/RELNOTES-1.6.22
Keywords: (none) => advisory
MGA6-32 on Dell Latitude D600 MATE No installation issues. This laptop has no space to install a real file system, so I tried some commands # afsio help afsio: Commands are: append append to a file in AFS apropos search by help text fidappend append to a file in AFS fidlock lock by FID a file from AFS fidread read on a non AFS-client a file from AFS fidunlock unlock by FID a file from AFS fidwrite write a file into AFS help get help on commands lock lock a file in AFS read read a file from AFS unlock unlock a file in AFS version show version write write a file into AFS # cmdebug -help Usage: cmdebug -servers <server machine> [-port <IP port>] [-long] [-refcounts] [-callbacks] [-ctime] [-addrs] [-cache] [-cellservdb] [-help] Where: -long print all info -refcounts print only cache entries with positive reference counts -callbacks print only cache entries with callbacks -ctime print human readable expiration time -addrs print only host interfaces -cache print only cache configuration -cellservdb print only cellservdb info # systemctl -l start openafs-server # systemctl -l status openafs-server ● openafs-server.service - OpenAFS Server Service Loaded: loaded (/usr/lib/systemd/system/openafs-server.service; enabled; vendor preset: enabled) Active: active (running) since wo 2017-12-27 15:22:29 CET; 3s ago Main PID: 20723 (bosserver) CGroup: /system.slice/openafs-server.service └─20723 /usr/sbin/bosserver -nofork dec 27 15:22:29 mach6.hviaene.thuis systemd[1]: Started OpenAFS Server Service. # systemctl start openafs-client Job for openafs-client.service failed because the control process exited with error code. See "systemctl status openafs-client.service" and "journalctl -xe" for details. [root@mach6 ~]# systemctl -l status openafs-client ● openafs-client.service - OpenAFS Client Service Loaded: loaded (/usr/lib/systemd/system/openafs-client.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since wo 2017-12-27 16:01:31 CET; 8s ago Process: 23909 ExecStartPre=/sbin/modprobe libafs (code=exited, status=1/FAILURE) Process: 23904 ExecStartPre=/bin/chmod 0644 /etc/openafs/CellServDB (code=exited, status=0/SUCCESS) Process: 23903 ExecStartPre=/bin/sed -n w/etc/openafs/CellServDB /etc/openafs/CellServDB.local /etc/openafs/CellServ dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: Starting OpenAFS Client Service... dec 27 16:01:31 mach6.hviaene.thuis modprobe[23909]: modprobe: FATAL: Module libafs not found in directory /lib/module dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: openafs-client.service: Control process exited, code=exited status=1 dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: Failed to start OpenAFS Client Service. dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: openafs-client.service: Unit entered failed state. dec 27 16:01:31 mach6.hviaene.thuis systemd[1]: openafs-client.service: Failed with result 'exit-code'. I don't understand this "module not found" unless that one is in the devel packages???
CC: (none) => herman.viaene
Severity: normal => major
Having a look at this for x86_64. I had created an AFS filesystem ages ago but need to go back to the beginning and study the OpenAFS User Guide http://docs.openafs.org/UserGuide/. Herman's report will be valuable.
CC: (none) => tarazed25
Mageia 6 :: x86_64 Installed the updates as listed. Noted that the mount point /afs was created automatically. The manual states that both client and server can operate on the same machine so I started both services: # systemctl enable openafs-server.service # systemctl start openafs-server.service # systemctl enable openafs-client.service # systemctl start openafs-client.service Both running OK. $ ls /afs acm-csuf.org/ laroia.net/ acm.jhu.edu/ lcp.nrl.navy.mil/ ..................................... Tried to write a file to /afs but foundered badly. # afsio help write afsio write: write a file into AFS Usage: afsio write -file <AFS-filename> [-cell <cellname>] [-verbose] [-md5] [-force] [-synthesize <create data pattern of specified length instead reading from stdin>] [-realm <REALMNAME>] [-help] Where: -md5 calculate md5 checksum -force overwrite existing file $ afsio write -file /afs/rendir.rb Segmentation fault (core dumped) $ cp rendir.rb /afs cp: cannot create regular file '/afs/rendir.rb': Read-only file system The manual states: Note: You can use AFS commands only on files in the AFS filespace or the local directories that are links to the AFS filespace. So the question is, how do you place files in the AFS filespace? This will take some time to figure out. <quote> Under the /afs root directory are subdirectories created by your system administrator, including your home directory. </quote> The existing subdirectories are all links to participating sites which would imply that there needs to be something similar for this site, but what? The 'readonly' implies that some system service function needs to be employed to extend this list. Baffled.
Found some old reports on this machine which give something to follow. No apologies for all the details. This is a big subject and I can only scratch the surface. $ uname -r 4.14.10-1.mga6 $ cd /etc/openafs $ ll -rw-r--r-- 1 root root 10 Jan 5 12:03 bosserver.rxbind -rw-r--r-- 1 root root 31 Dec 16 02:01 cacheinfo -rw-r--r-- 1 root root 37197 Jan 5 12:36 CellServDB -rw-r--r-- 1 root root 37197 Dec 16 02:01 CellServDB.dist -rw-r--r-- 1 root root 0 Jan 5 11:46 CellServDB.local drwxr-xr-x 2 root root 4096 Jan 5 12:03 server/ -rw-r--r-- 1 root root 12 Dec 16 02:01 ThisCell Port 7001 is mentioned so made sure that 7001/udp was opened via Shorewall. This indicates that the database has been backed up. Let's do it explicitly: $ su # wget http://dl.central.org/dl/cellservdb/CellServDB --2018-01-05 16:47:20-- http://dl.central.org/dl/cellservdb/CellServDB Resolving dl.central.org... 128.2.13.212 Connecting to dl.central.org|128.2.13.212|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 37197 (36K) Saving to: ‘CellServDB.1’ CellServDB.1 100%[===================>] 36.33K --.-KB/s in 0.1s 2018-01-05 16:47:21 (281 KB/s) - ‘CellServDB.1’ saved [37197/37197] # echo grand.central.org > /etc/openafs/ThisCell # df /var/cache/openafs Filesystem Size Used Avail Use% Mounted on /dev/sda16 34G 15G 18G 47% / # df -h | grep -i afs AFS 2.0T 0 2.0T 0% /afs # df -h | grep sda16 /dev/sda16 34G 15G 18G 47% / Allocated 50% of available space to the cache: # echo "/afs:/var/cache/openafs:9437184" > /etc/openafs/cacheinfo Configured OpenAFS manager: # sed < ${f} -e s/^AFSD_ARGS=/#AFSD_ARGS=/ -e s/^$/AFSD_ARGS="-dynroot -fakestat -afsdb -stat 2000 -dcache 800 -daemons 3 -volumes 70 -nosettime"/ > ${f}+ # mv -f ${f} /tmp/ && mv ${f}+ ${f} # lsmod | grep libafs libafs 888832 2 # systemctl restart openafs-client.service Checked status and all was OK. # cat cacheinfo /afs:/var/cache/openafs:9437184 # tail CellServDB 155.198.63.148 #icafs2.cc.ic.ac.uk 155.198.63.149 #icafs1.cc.ic.ac.uk >hep.man.ac.uk #Manchester HEP 194.36.2.3 #afs1.hep.man.ac.uk 194.36.2.4 #afs2.hep.man.ac.uk 194.36.2.5 #afs3.hep.man.ac.uk >tlabs.ac.za #iThemba LABS Cell 196.24.232.1 #afs01.tlabs.ac.za 196.24.232.2 #afs02.tlabs.ac.za 196.24.232.3 #afs03.tlabs.ac.za This is about as far as I can go with this update. The system is up and ready for use, but that is another chapter. Giving this a tentative OK.
Whiteboard: (none) => MGA6-64-OK
Thanks Len, Validating the update.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0065.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED