openafs (1.4.10+dfsg1-1) unstable; urgency=high

  This release of OpenAFS contains security fixes in the kernel module.
  Be sure to also upgrade openafs-modules-source, build a new kernel
  module for your system following the instructions in
  /usr/share/doc/openafs-client/README.modules.gz, and then either stop
  and restart openafs-client or reboot the system to reload the kernel
  module.

 -- Russ Allbery <rra@debian.org>  Mon, 06 Apr 2009 15:51:14 -0700

openafs (1.4.2-6) unstable; urgency=medium

  As of this release of the OpenAFS kernel module, all cells, including
  the local cell, have setuid support turned off by default due to the
  possibility of an attacker forging AFS fileserver responses to create a
  fake setuid binary.  Prior releases enabled setuid support for the local
  cell.  Those binaries will now run with normal permissions by default.

  This security fix will only take effect once you've installed a kernel
  module from openafs-modules-source 1.4.2-6 or later.  Doing so is highly
  recommended.  In the meantime, you can disable setuid support by
  running:

      fs setcell -cell <localcell> -nosuid

  as root (where <localcell> is your local cell, the one listed in
  /etc/openafs/ThisCell).

  If you are certain there is no security risk of an attacker forging AFS
  fileserver responses, you can enable setuid status selectively using the
  fs setcell command.

 -- Russ Allbery <rra@debian.org>  Sun, 11 Mar 2007 22:28:07 -0700