On Fri, Feb 05, 2021 at 05:11:31PM +0000, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2021-02-05 at 08:38 -0800, Benjamin Kaduk wrote: > > All upstream openafs releases from the 1.8.x series, prior to 1.8.7, > > contain a "time bomb" bug that activates when the unix epoch time > > passes 0x60000000 (Thu 14 Jan 2021 08:25:36 AM UTC). > > Given the statement "prior to 1.8.7", it would have been helpful to be > explicit about the fact that the Debian package of 1.8.6-5 (in unstable > and testing) contains the fixes.
Sorry. upstream 1.8.7 is equivalent to debian 1.8.6-5 in this regard (I prepared the debian version before the upstream release due to the delays in the upstream CI machinery). > [...] > > Both AFS clients and AFS servers are affected. > > Unpatched clients started after the cutover time are unable to > > perform any filesystem access (the error "connection timed out" is > > reported). > > Unpatched file servers started after the cutover time are unable to > > connect to protection servers and verify user group membership to > > enforce ACLs, and are unable to connect to other file (volume) > > servers to move volumes. > > Unpatched database servers started after the cutover time are unable > > to connect to each other, resulting in a breakdown of the ubik > > distributed consensus protocol in deployments that use more than one > > database server (three databaser servers is common). > > The timing here is rather unfortunate. The next point release for > buster is tomorrow, and it's far too late to get any additional changes > in to that. > > Please feel free to upload, and we can look at processing the package > after the point release is out of the way. I assume you'd appreciate a > stable-updates release for the updated package, rather than waiting for > the following point release? Yes, that would be appreciated. > Having said that, there are presumably already a bunch of broken > servers, given there was a kernel security update for buster recently > and we're already a few weeks past the relevant timestamp. :-( Salvatore did remind me of that, yes :( I incurred some unfortunate delays in being able to actually test the updated packages in a buster environment personally. Thanks, Ben
