[Bug 1832690] [NEW] [SRU] Upgrade Ubuntu 20.04, 22.04 and 23.04 to 1.8.10
Launchpad Bug Tracker
1832690 at bugs.launchpad.net
Mon Sep 11 09:19:05 UTC 2023
*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Luís Infante da Câmara (luis220413):
[Impact]
To fix several CVEs and client cache corruption and to provide performance and reliability improvements, I would like to upgrade the versions in Ubuntu 20.04, 22.04 and 23.04 to 1.8.10.
[Test Plan]
1. For each updated source package, run its autopkgtests in a clean Ubuntu VM with the release the package was built for, using the binaries in the proposed pocket.
2. Install the openafs-client package in an Ubuntu system.
3. Create AFS cells on other Ubuntu systems running the same Ubuntu version or a different version (by installing the openafs-fileserver package).
4. Connect the first system to those AFS cells. To minimize regression risk, we will test all possible version combinations.
5. Connect the first system to AFS cells with non-Ubuntu servers, such as afs.ist.utl.pt (the AFS cell of our university).
6. Reboot all Ubuntu systems being used for the test and repeat steps 4 and 5.
7. In all systems being used for the test, enable the proposed pocket, install kernels from the proposed pocket (sudo apt install linux-generic/$RELEASE-proposed) and repeat step 6.
7. In all systems being used for the test, disable the proposed pocket and remove all kernels installed from the proposed pocket.
8. In all systems being used for the test, boot into a previous kernel and repeat steps 3, 4 and 5.
9. Remove the openafs-client package in the first system.
10. Remove the openafs-fileserver package from the AFS cells created in step 3.
11. Reboot.
12. Install the openafs-fileserver package on the systems where the AFS cells were created in step 3.
13. Install the openafs-client package on the first system.
14. Repeat steps 4 and 5.
[Where problems could occur]
The OpenAFS client runs as a kernel module and can crash the system or
corrupt kernel data structures, possibly creating security issues.
[Original description]
I'm sure it wasn't so much a decision to ship this version in Bionic as
an artefact of freeze dates, etc, but 1.8.0~pre5 is seemingly not a very
good place to be. In OpenDev infrastructure we have noticed unfortunate
behaviour like serving corrupt files and then holding onto them in the
cache. Some terse notes are at [1]
We have some discussions with developers involved in upstream who have
confirmed that the early 1.8 series have a range of known issues that
can cause such problems [2].
So, yeah, I think upgrading this is not really a matter of just nice to
have, but it's pretty much unusable since the version currently in the
base distro just does really nasty things like random corruption.
There doesn't seem to be too many obstacles to incorporating later
versions; [3] has 1.8.2 packaged and I have built 1.8.3 for Bionic from
upstream sources too [4]. Either of these seem like better choices for
LTS. I haven't marked this as a security issue, but there are certainly
security related bugs fixed.
If there is anything I can do to help, please let me know...
[1] https://etherpad.openstack.org/p/opendev-mirror-afs
[2] http://eavesdrop.openstack.org/irclogs/%23openstack-infra/%23openstack-infra.2019-06-12.log.html#t2019-06-12T03:49:41
[3] https://launchpad.net/~openafs/+archive/ubuntu/stable
[4] https://launchpad.net/~openstack-ci-core/+archive/ubuntu/openafs
** Affects: openafs (Ubuntu)
Importance: Undecided
Status: Fix Released
** Tags: focal jammy lunar
--
[SRU] Upgrade Ubuntu 20.04, 22.04 and 23.04 to 1.8.10
https://bugs.launchpad.net/bugs/1832690
You received this bug notification because you are a member of Ubuntu Sponsors, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list