AFS is a distributed filesystem product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation (now IBM Pittsburgh Labs). It offers a client-server architecture for federated file sharing and replicated read-only content distribution, providing location independence, scalability, security, and transparent migration capabilities. AFS is available for a broad range of heterogeneous systems including UNIX, Linux, MacOS X, and Microsoft Windows
IBM branched the source of the AFS product, and made a copy of the source available for community development and maintenance. They called the release OpenAFS.
OpenAFS 1.7.24 is the next a series of OpenAFS clients for the Microsoft Windows platform that is implemented as a native file system. Significant changes since 1.7.23:
All users of previous 1.7 releases should upgrade.
The 1.7 series is for Microsoft Windows only.
OpenAFS servers versions before 1.6.2 for all platforms. An attacker with the ability to manipulate AFS directory ACLs may crash the fileserver hosting that volume. In addition, once a corrupt ACL is placed on a fileserver, its existence may crash client utilities manipulating ACLs on that server. This vulnerability is being tracked as CVE-2013-1794.
OpenAFS servers versions before 1.6.2 for all platforms. An attacker who can send an IdToName RPC can crash a ptserver. This vulnerability is being tracked as CVE-2013-1795.
OpenAFS 1.6.2 is the third in a new series of OpenAFS stable releases.
The 1.6 series is intended to provide new features including the Demand Attach File Service and Disconnected AFS, on other platforms including MacOS X, Linux variants, and UNIX, and includes numerous new features since 1.5.72, especially for users of MacOS X.
1.6.2 includes fixes for 2 security advisories, CVE-2013-1794 and CVE-2013-1795.
Sites using 1.6 versions are urged to upgrade to 1.6.2! Sites running older versions should update to 1.6.2 or apply the security patches to their current release.
Announcing the 2012 European AFS and Kerberos Conference taking place at the University of Edinburgh School of Informatics from Tuesday 16th to Thursday 18th October 2012.Full details are available at: http://openafs2012.inf.ed.ac.uk/
The call for abstracts is open and so please feel free to submit your presentation proposals. As always the conference will examine the development outlook for AFS and Kerberos implementations, it will highlight current projects and will offer space to proposals and new ideas. Also, sites will be able to present their AFS and Kerberos activities in site reports. Please submit proposals by email to firstname.lastname@example.org.
The latest issue of the monthly OpenAFS newsletter is available at http://www.openafs.org/newsletter/newsletter-2011-07-volume003-issue07.html.
OpenAFS 18.104.22.168 is a patch release for 1.4.14, containing only updates for 1.4.14 on Linux and Solaris. No changes are included for other platforms.
Concurrent with the expected release of MacOS Lion, an initial version of OpenAFS is now available. More details are available on the MacOS page.
OpenAFS 1.4.14 NOT vulnerable CVE-2011-0431, while correctly describing 1.4.14 as containing the fix for this issue, describes in its summary the release as broken. It is not. We recommend sites upgrade to 1.4.14; However, the impact of the issue is limited to a denial of service attack by a user with the ability to affect a lock of AFS though the client on a host.
OpenAFS servers versions 1.2.8 - 22.214.171.124, 1.5.0-1.5.74 for all platforms. An attacker with control of a client, or the ability to forge RX packets, can crash a server of affected hosts. This vulnerability is being tracked as CVE-2011-0430. Currently the advisory erroneously states 1.4.14 is vulnerable.
The OpenAFS Elders are pleased to announce that with the release of OpenAFS for Windows version 1.5.66 that Microsoft Windows 7 becomes an officially supported platform. All versions of Windows 7 including "Home Basic", "Home Premium", "Business", and "Ultimate" are supported on both X86 and X86_64 CPU architectures. Users that are upgrading to Windows 7 from Vista must reinstall OpenAFS after the upgrade.
Concurrent with the release of MacOS 10.6, OpenAFS has released OpenAFS 1.5.62 with 32 and 64 bit kernel and userspace support for Snow Leopard. Additionally, a backport of the necessary support is available and is being distributed with OpenAFS 1.4.11 effective immediately.
Releases of OpenAFS for Windows prior 1.5.62 may fail to store data to file servers. There are two issues that are addressed in the 1.5.62 release.
After more than eighteen months of attempts to migrate source code management away from cvs OpenAFS has finally converted to Git. This change will not have any visible impact on end users. For developers there are major changes in the tools required to work with the OpenAFS source repository and the workflow used to submit contributions to OpenAFS. Along with the conversion to Git, OpenAFS is now using the Gerrit source code review application which makes it significantly easier for developers to review and comment on each other's contributions.
OpenAFS clients versions 1.0-1.4.8, 1.5.0-1.5.58 for all Linux 2.4-2.6 platforms. An attacker with control of a fileserver, or the ability to forge RX packets, can crash the cache manager, and hence the kernel, of affected Linux AFS clients. This vulnerability is being tracked as CVE-2009-1250.
OpenAFS clients versions 1.0-1.4.8, 1.5.0-1.5.58 for all Unix platforms except MacOS 10.4, 10.5. An attacker with control of a fileserver, or the ability to forge RX packets, can crash the cache manager, and hence the kernel, of any Unix AFS client. It may be possible for an attacker to cause the kernel to execute arbitrary code. This vulnerability is being tracked as CVE-2009-1251.
Following last year's successful participation in GSoC 2008, OpenAFS has been accepted for a second straight year. Students and OpenAFS experts are encouraged to participate. Student proposals are due April 3. Students and mentors interested in participating in an OpenAFS project should read the OpenAFS Summer of Code page.
Once again, Google will be doing their Summer of Code. For the first year, OpenAFS will be participating as a mentoring organization. Students interested are encouraged to discuss potential projects on the openafs development list. We have a list of suggested projects online, but we would be happy to discuss any relevant project with you.
OpenAFS fileserver versions 1.3.50 - 1.4.5, 1.5.0 - 1.5.27. Fileservers of affected versions can be crashed by a client-triggered race condition. Fixes are available in 1.4.6 and 1.5.28.
The OpenAFS Elders newsletter for November is available now.
The OpenAFS Elders newsletter for August is available now.
OpenAFS for Windows clients versions 1.3.64 - 1.3.99, 1.4.0 - 1.4.4, 1.5.0 - 1.5.18. When MIT Kerberos for Windows (any version) is installed a user with the ability to alter the contents of the Kerberos v5 configuration profile can prevent Microsoft Windows from successfully booting. This issue has been corrected in OpenAFS 1.5.19.
Unix clients in OpenAFS versions before 1.5.17 and 1.4.4 allow a potential privilege escalation via setuid functionality which can be enabled by the client administration but is enabled by default for the client's local cell. To avoid this issue, 1.5.17 and 1.4.4 have been issued with setuid disabled by default in all cases.
AFSv3 was designed and implemented during the late 80s and early 90s when the state of the art in distributed computer authentication and data confidentiality was to use Kerberos 4 and the United States' Data Encryption Standard (DES). Over the last two years the U.S. National Institutes of Standards and Technology (NIST) has withdrawn the DES standard and MIT has announced the end of life of Kerberos 4. In response, the OpenAFS Elders have approved a roadmap to transition from DES to stronger ciphers which includes the deprecation of the OpenAFS kaserver.
pam-afs-session is a PAM module intended for use with a Kerberos v5 PAM module to obtain an AFS PAG and AFS tokens on login. It puts every new session in a PAG regardless of whether it was authenticated with Kerberos and runs a configurable external program to obtain tokens. It supports using Heimdal's libkafs for the AFS interface and falls back to an internal Linux-only implementation if libkafs isn't available.
The OpenAFS Elders are pleased to announce that with the release of OpenAFS for Windows version 1.5.12 that Microsoft Windows Vista becomes an officially supported platform. All versions of Vista including "Home Basic", "Home Premium", "Business", and "Ultimate" are supported on both X86 and X86_64 CPU architectures.
The minutes of the most recent OpenAFS Council of Elders meeting are online now.