AFS is a distributed filesystem product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation (now IBM Pittsburgh Labs). It offers a client-server architecture for federated file sharing and replicated read-only content distribution, providing location independence, scalability, security, and transparent migration capabilities. AFS is available for a broad range of heterogeneous systems including UNIX, Linux, MacOS X, and Microsoft Windows
IBM branched the source of the AFS product, and made a copy of the source available for community development and maintenance. They called the release OpenAFS.
The OpenAFS Foundation is dedicated to fostering the stability and growth of OpenAFS by providing strategic direction and aiming to raise money to support the development and maintenance of OpenAFS. More information on the Foundation can be found on the OpenAFS Foundation website.
OpenAFS 1.8.13.1 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It brings support for newer Linux mainline kernels (currently up to 6.12) and fixes a build error on AIX systems introduced in OpenAFS 1.8.13. Users of other UNIX/Linux systems do not need to update.
For more information:
OpenAFS 1.8.13 and 1.6.25 are the next releases in the current and old stable series of releases for Unix/Linux systems. Previous versions contained vulnerabilities that could cause client or file server crashes or disclose the contents of uninitialized memory, or possibly result in the execution of arbitrary code on clients.
For more information:
OpenAFS 1.8.12.2 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It brings support for newer Linux mainline kernels (currently up to 6.11). Users of other UNIX/Linux systems do not need to update.
For more information:
OpenAFS 1.8.12.1 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It brings support for newer Linux mainline kernels (currently up to 6.10). Users of other UNIX/Linux systems do not need to update.
For more information:
OpenAFS 1.8.12 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It brings reliablity improvements and support for newer Linux mainline kernels (currently up to 6.9), and fixes an issue that can affect loading the kernel module on the AArch64 architecture.
For more information:
OpenAFS 1.8.11 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It brings performance and reliablity improvements, improved diagnostics, support for the latest Linux mainline kernel (currently 6.7), macOS releases up to 14 ("Sonoma"), allows the client utilities to run on machines with only server configuration files, updates the bundled CellServDB to the latest version from grand.central.org, as well as a number of bug fixes and minor new features.
For more information:
OpenAFS 1.8.10 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It brings performance and reliablity improvements, improved diagnostics, support for the latest Linux mainline kernel (currently 6.4), Apple Silicon and macOS releases up to 13 ("Ventura"), much improved support for the AIX platform, including releases 7.1, 7.2 and 7.3, as well as a number of bug fixes and minor new features.
For more information:
OpenAFS 1.8.9 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It brings performance and reliablity improvements, improved diagnostics, support for the latest Linux mainline kernel (currently 6.0) and recent FreeBSD releases as well as a number of bug fixes.
For more information:
OpenAFS 1.8.8.1 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It adds support for current Linux mainline kernels (5.14, 5.15 and likely the upcoming 5.16), improves support for FreeBSD 12 and allows Solaris builds using Studio 12.6. Systems not requiring any of those changes can continue to use the 1.8.8 release.
For more information:
OpenAFS 1.8.8 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It brings performance and reliablity improvements, improved diagnostics, support for the latest Linux mainline kernel (currently 5.13) and macOS 11.0 "Big Sur" as well as support for recent FreeBSD releases and a number of bug fixes.
For more information:
OpenAFS 1.8.7 is the next release in the current stable series of OpenAFS releases for UNIX/Linux systems. It fixes a critical issue in the generation of Rx connection IDs that prevent Rx clients started after 14 Jan 2021 08:25:36 AM UTC from being able to successfully make connections. In addition to cache managers and client utilities, fileservers and database servers are also affected, since they initiate connections to (other) database servers during their normal operation.
The issue occurs only at startup, while generating the initial connection ID, so cache managers or servers that were already running at the time in question will not be affected until they restart.
For more information:
OpenAFS 1.9.0 is the first in a series of OpenAFS development releases intended to facilitate testing of new features. It should not be considered production-ready. The 1.9.x series will track development leading up to a new 2.0 major release series; noteworthy features targeted for 2.0 include the rxgk security class and IPv6 support. Bug reports should be filed to openafs-bugs@openafs.org.
For more information:
OpenAFS 1.8.6 is the next in the current stable series of OpenAFS releases for UNIX/Linux systems. It brings performance improvements, improved diagnostics, support for the latest Linux mainline kernel (currently 5.7) and macOS 10.15 "Catalina", and a number of bug fixes.
Note that aklog and klog.krb5 will now require the -insecure_des switch in order to work with the weak and deprecated single-DES encryption types.
To build this release with GCC 10, the parameter "-fcommon" has to be passed to the compiler, which can be achieved by setting the environment variable CFLAGS to -fcommon when running configure: "CFLAGS=-fcommon ./configure".
For more information:
OpenAFS 1.8.5 and 1.6.24 are the next releases in the current and old stable series of releases for UNIX/Linux systems. Previous versions contained vulnerabilities that could cause database server crashes or disclose uninitialized memory contents to (potentially unauthenticated) attackers.
For more information:
OpenAFS 1.8.4 is the next in the current stable series of OpenAFS releases for UNIX/Linux systems. This release brings support for the client under Linux mainline kernels up to 5.3, performance improvements, improved diagnostics, support for Linux on the PPC64 Little Endian platform, fixes and enhancements for Red Hat packaging as well as a number of bug fixes, among those some that should help avoid false ENOENT errors on Linux which can cause symptoms like getcwd() failures.
Note there's a change in ptserver's behaviour when run in restricted mode, which is now consistent with the documentation: Non-members of the system:administrators group are no longer allowed to issue the adduser, setfields and delete pts commands, and all members of system:administrators are now allowed to issue pts commands in this mode, not just the admin principal.
For more information:
OpenAFS 1.8.3 is the next in the current stable series of OpenAFS releases for UNIX/Linux systems. Besides support for the latest Linux mainline kernels up to 5.0 and macOS 10.14 "Mojave", it brings a number of bug fixes and minor improvements.
For more information:
OpenAFS 1.8.2 and 1.6.23 are the next releases in the current and old stable series of releases for UNIX/Linux systems. Previous versions contained a severe vulnerability when the in-tree backup system is used, and additional vulnerabilities of moderate severity, which are fixed in these releases.
For more information:
OpenAFS 1.8.1.1 and 1.6.22.4 are the next in the current and the old stable series of OpenAFS releases for UNIX/Linux systems. They bring support for the latest Linux mainline kernel, 4.18 . Systems not requiring this change can continue to use an earlier 1.6.22 or the 1.8.1 release.
For more information:
OpenAFS 1.8.1 is the latest release from the 1.8 stable branch of OpenAFS.
For more information:
OpenAFS 1.6.22.3 is the next in the series of OpenAFS old stable releases for UNIX/Linux systems. It brings support for RHEL 7.5 kernels. Systems not requiring this changes can continue to use an earlier 1.6.22 release.
For more information:
OpenAFS 1.8.0 begins a new stable release branch for UNIX/Linux, bringing more than six years of development work into a stable release for the first time.
For more information:
OpenAFS 1.6.22.2 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It brings support for the latest Linux mainline kernel, 4.15, macOS 10.13 "High Sierra" and APFS as the client cache filesystem, and fixes the getcwd() issues encountered on clients with RHEL 7.4 kernels. Systems not requiring these changes can continue to use an earlier 1.6.22 release.
For more information:
OpenAFS 1.6.22.1 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It brings support for the latest Linux mainline kernel, 4.14, and fixes for build issues encountered on some recent Linux distributions. Systems not requiring these changes can continue to use the 1.6.22 release.
For more information:
OpenAFS 1.6.22 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. Versions through 1.6.21.1 contained a security issue of high severity, fixed here.
For more information:
OpenAFS 1.6.21.1 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It brings support for the latest Linux mainline kernel, 4.13, and a fix for module builds against Linux kernel 4.12 on the S390 platform. Systems not requiring these changes can continue to use the 1.6.21 release.
For more information:
OpenAFS 1.6.21 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It brings a variety of bug fixes as well as performance and documentation improvements, reduced memory consumption on Linux clients and support for the latest Linux mainline kernel, 4.12.
For more information:
OpenAFS 1.6.20.2 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It is focused on client side updates. Besides bringing support for Linux kernels 4.10 and likely the soon to be released 4.11, it mainly makes PAGs work on Solaris 11 and fixes the preference pane on recent macOS.
For more information:
OpenAFS 1.6.20.1 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It mainly adds support for macOS 10.12 "Sierra" and the client on Linux systems with mainline kernel 4.9 or distribution kernels with backports from it.
For more information:
OpenAFS 1.6.20 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. Versions through 1.6.19 contained a number of security issues of low to medium severity, fixed here.
For more information:
OpenAFS 1.6.19 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. Besides other bug fixes and minor improvements, this release includes fixes that prevent cases where a database write could be lost or an old version of the database be used instead of the latest version.
For more information:
OpenAFS 1.6.18.3 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It brings support for the client on Linux systems with mainline kernel 4.7 or distribution kernels with backports from it, fixes memory mapped I/O with large files on Solaris clients and adds packaging support for recent OS X releases.
For more information:
OpenAFS 1.6.18.2 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It brings support for the client on Linux systems with mainline kernel 4.6 or distribution kernels with backports from it, fixes a regression introduced in release 1.6.18 that could lead to the dentry for the current working directory being erroneously invalidated at least on some kernels, and enables builds on FreeBSD 10.2 and 10.3.
For more information:
OpenAFS 1.6.18.1 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It brings support for the client on Linux systems with mainline kernel 4.5 or distribution kernels with backports from it.
For more information:
OpenAFS 1.6.18 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. Significant changes since 1.6.17 include:
For more information:
OpenAFS 1.6.17 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. Versions through 1.6.16 contained a number of security issues of low to medium severity, fixed here.
Patches for each issue are also individually available.
For more information:
OpenAFS 1.6.16 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It fixes a wide range of bugs, brings a new "vos remaddrs" subcommand to replace the slightly confusing "vos changeaddr -remove" and allows building against newer ncurses libraries.
For more information:
OpenAFS 1.6.15 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. Versions through 1.6.14 contained a high impact security issue named "Tattletale" which is fixed in this release: The packet paylod of Rx ACK packets is not fully initialized, leaking
plaintext from packets previously processed.
Patches for each issue are also individually available.
For more information:
In the interest of fostering a friendly, welcoming environment for contributors, we have introduced the Contributor Covenant as the code of conduct for the OpenAFS Project. A copy is included in the source tree, and can be found via the Contributor Code of Conduct link included on all pages. For additional information, visit contributor-covenant.org
OpenAFS 1.6.14.1 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It adds client support for Linux kernel 4.2 . Note that due to changes to internal data structures with this kernel release, the OpenAFS client can no longer reset the link count during path lookups. Since volume root directories must behave like symlinks instead of normal directories in order to satisfy Linux kernel invariants, looking up paths containing more than 40 mount points will fail with ELOOP on such kernels. There are no further changes. Systems not affected by the Linux 4.2 VFS changes can continue to use the OpenAFS 1.6.14 release.
For more information:
OpenAFS 1.6.14 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. It is limited to a fix for an issue introduced in release 1.6.13: Prior to the OpenAFS security release 1.6.13, the Volume Location Server (vlserver) RPC VL_ListAttributesN2() supported wildcard volume name lookups via regular expression (regex) pattern matching. This support was completely disabled in 1.6.13 because it was judged to be a security risk due to buffer overruns in the implementation, as well as the possibility of denial of service attacks where certain regular expressions could cause excessive CPU usage in some regex implementations. After 1.6.13 was released, it was discovered that the native OpenAFS 'backup' system uses the VL_ListAttributesN2() regex support to evaluate configured volume sets.
As a result of this issue, OpenAFS 1.6.14 replaces the 1.6.13 changes to VL_ListAttributesN2. 1.6.14 prevents the buffer overruns and reenables the regex support, but restricts it to OpenAFS super-users and -localauth only. This is sufficient to restore the OpenAFS 'backup' system's ability to work correctly with any previously supported volume set. The OpenAFS 'backup' commands are already documented to require super-user authorization, so this restriction is moot for the backup system. i
None of the other security fixes in OpenAFS 1.6.13 are known to have any issues, and are still included unchanged in OpenAFS 1.6.14.
For more information:
OpenAFS 1.6.13 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. Versions through 1.6.12 contained a number of security issues, fixed here. Patches for each issue are also individually available.
For more information:
OpenAFS 1.6.11.1 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. This point release is limited to a few client side changes:
For more information:
OpenAFS fileservers version 1.6.8 for all UNIX/Linux platforms. Earlier releases are not affected. An attacker with the ability to connect to an OpenAFS fileserver can trigger the use of uninitialized memory, crashing the server. This vulnerability is being tracked as CVE-2014-4044.
OpenAFS 1.6.9 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. This release includes the fix for Security Advisory 2014-002. Sites running OpenAFS 1.6.8 fileservers should to update them to 1.6.9. Other systems can continue to use the 1.6.8 release.
For more information:
OpenAFS 1.7.31 is the next a series of OpenAFS clients for the Microsoft Windows platform that is implemented as a native file system. Significant changes since 1.7.30:
All users of previous 1.7 releases should upgrade.
The 1.7 series is for Microsoft Windows only.
OpenAFS servers versions 1.4.8 through 1.6.6 for all platforms. (The first prerelease of 1.6.8, 1.6.8pre1 is also affected. The final release of 1.6.8 will not be affected.) An attacker with the ability to connect to an OpenAFS fileserver can trigger a buffer overflow, crashing the server. This vulnerability is being tracked as CVE-2014-0159.
OpenAFS 1.6.7 is the next in the current series of OpenAFS stable releases for UNIX/Linux systems. This includes the fix for Security Advisory 2014-001
For more information:
We recommend all sites update their servers immediately, following the documentation about how to install the new binaries and rekey your servers.
For more information:
OpenAFS servers versions before 1.6.2 for all platforms. An attacker with the ability to manipulate AFS directory ACLs may crash the fileserver hosting that volume. In addition, once a corrupt ACL is placed on a fileserver, its existence may crash client utilities manipulating ACLs on that server. This vulnerability is being tracked as CVE-2013-1794.
OpenAFS servers versions before 1.6.2 for all platforms. An attacker who can send an IdToName RPC can crash a ptserver. This vulnerability is being tracked as CVE-2013-1795.
Announcing the 2012 European AFS and Kerberos Conference taking place at the University of Edinburgh School of Informatics from Tuesday 16th to Thursday 18th October 2012.Full details are available at: http://openafs2012.inf.ed.ac.uk/
The call for abstracts is open and so please feel free to submit your presentation proposals. As always the conference will examine the development outlook for AFS and Kerberos implementations, it will highlight current projects and will offer space to proposals and new ideas. Also, sites will be able to present their AFS and Kerberos activities in site reports. Please submit proposals by email to openafs-conf@inf.ed.ac.uk.
The latest issue of the monthly OpenAFS newsletter is available at http://www.openafs.org/newsletter/newsletter-2011-07-volume003-issue07.html.
OpenAFS 1.4.14.1 is a patch release for 1.4.14, containing only updates for 1.4.14 on Linux and Solaris. No changes are included for other platforms.
Concurrent with the expected release of MacOS Lion, an initial version of OpenAFS is now available. More details are available on the MacOS page.
OpenAFS 1.4.14 NOT vulnerable CVE-2011-0431, while correctly describing 1.4.14 as containing the fix for this issue, describes in its summary the release as broken. It is not. We recommend sites upgrade to 1.4.14; However, the impact of the issue is limited to a denial of service attack by a user with the ability to affect a lock of AFS though the client on a host.
OpenAFS servers versions 1.2.8 - 1.4.12.1, 1.5.0-1.5.74 for all platforms. An attacker with control of a client, or the ability to forge RX packets, can crash a server of affected hosts. This vulnerability is being tracked as CVE-2011-0430. Currently the advisory erroneously states 1.4.14 is vulnerable.
The OpenAFS Elders are pleased to announce that with the release of OpenAFS for Windows version 1.5.66 that Microsoft Windows 7 becomes an officially supported platform. All versions of Windows 7 including "Home Basic", "Home Premium", "Business", and "Ultimate" are supported on both X86 and X86_64 CPU architectures. Users that are upgrading to Windows 7 from Vista must reinstall OpenAFS after the upgrade.
Concurrent with the release of MacOS 10.6, OpenAFS has released OpenAFS 1.5.62 with 32 and 64 bit kernel and userspace support for Snow Leopard. Additionally, a backport of the necessary support is available and is being distributed with OpenAFS 1.4.11 effective immediately.
Releases of OpenAFS for Windows prior 1.5.62 may fail to store data to file servers. There are two issues that are addressed in the 1.5.62 release.
After more than eighteen months of attempts to migrate source code management away from cvs OpenAFS has finally converted to Git. This change will not have any visible impact on end users. For developers there are major changes in the tools required to work with the OpenAFS source repository and the workflow used to submit contributions to OpenAFS. Along with the conversion to Git, OpenAFS is now using the Gerrit source code review application which makes it significantly easier for developers to review and comment on each other's contributions.
OpenAFS clients versions 1.0-1.4.8, 1.5.0-1.5.58 for all Linux 2.4-2.6 platforms. An attacker with control of a fileserver, or the ability to forge RX packets, can crash the cache manager, and hence the kernel, of affected Linux AFS clients. This vulnerability is being tracked as CVE-2009-1250.
OpenAFS clients versions 1.0-1.4.8, 1.5.0-1.5.58 for all Unix platforms except MacOS 10.4, 10.5. An attacker with control of a fileserver, or the ability to forge RX packets, can crash the cache manager, and hence the kernel, of any Unix AFS client. It may be possible for an attacker to cause the kernel to execute arbitrary code. This vulnerability is being tracked as CVE-2009-1251.
Following last year's successful participation in GSoC 2008, OpenAFS has been accepted for a second straight year. Students and OpenAFS experts are encouraged to participate. Student proposals are due April 3. Students and mentors interested in participating in an OpenAFS project should read the OpenAFS Summer of Code page.
Once again, Google will be doing their Summer of Code. For the first year, OpenAFS will be participating as a mentoring organization. Students interested are encouraged to discuss potential projects on the openafs development list. We have a list of suggested projects online, but we would be happy to discuss any relevant project with you.
OpenAFS fileserver versions 1.3.50 - 1.4.5, 1.5.0 - 1.5.27. Fileservers of affected versions can be crashed by a client-triggered race condition. Fixes are available in 1.4.6 and 1.5.28.
The OpenAFS Elders newsletter for November is available now.
The OpenAFS Elders newsletter for August is available now.
OpenAFS for Windows clients versions 1.3.64 - 1.3.99, 1.4.0 - 1.4.4, 1.5.0 - 1.5.18. When MIT Kerberos for Windows (any version) is installed a user with the ability to alter the contents of the Kerberos v5 configuration profile can prevent Microsoft Windows from successfully booting. This issue has been corrected in OpenAFS 1.5.19.
Unix clients in OpenAFS versions before 1.5.17 and 1.4.4 allow a potential privilege escalation via setuid functionality which can be enabled by the client administration but is enabled by default for the client's local cell. To avoid this issue, 1.5.17 and 1.4.4 have been issued with setuid disabled by default in all cases.
AFSv3 was designed and implemented during the late 80s and early 90s when the state of the art in distributed computer authentication and data confidentiality was to use Kerberos 4 and the United States' Data Encryption Standard (DES). Over the last two years the U.S. National Institutes of Standards and Technology (NIST) has withdrawn the DES standard and MIT has announced the end of life of Kerberos 4. In response, the OpenAFS Elders have approved a roadmap to transition from DES to stronger ciphers which includes the deprecation of the OpenAFS kaserver.
pam-afs-session is a PAM module intended for use with a Kerberos v5 PAM module to obtain an AFS PAG and AFS tokens on login. It puts every new session in a PAG regardless of whether it was authenticated with Kerberos and runs a configurable external program to obtain tokens. It supports using Heimdal's libkafs for the AFS interface and falls back to an internal Linux-only implementation if libkafs isn't available.
The OpenAFS Elders are pleased to announce that with the release of OpenAFS for Windows version 1.5.12 that Microsoft Windows Vista becomes an officially supported platform. All versions of Vista including "Home Basic", "Home Premium", "Business", and "Ultimate" are supported on both X86 and X86_64 CPU architectures.
The minutes of the most recent OpenAFS Council of Elders meeting are online now.