openafs (1.4.12.1+dfsg-4+squeeze2) squeeze-security; urgency=high

  The DES keys used by all previous versions of OpenAFS are not
  sufficiently strong to be secure.  As of this release, all OpenAFS
  servers support using stronger long-term keys than DES.  All sites are
  strongly encouraged to rekey their AFS cells after deploying the new
  version of the AFS server software on all AFS file server and AFS
  database server machines.

  To do so, generate a new set of keys for the afs/<cell> principal for
  your site and store those keys in /etc/openafs/server/rxkad.keytab on
  all file server and database server machines and then restart the server
  processes to upgrade the strength of server-to-server connections.
  After all existing AFS tokens have expired, you can then move the
  KeyFile aside, which will invalidate all old, existing DES tokens.

  If you are using Heimdal as your Kerberos KDC, you need to ensure that
  the afs/<cell> key includes a des-cbc-crc enctype (to allow for session
  keys), but you should remove all DES keys from the keytab before
  deploying it as rxkad.keytab.

  These are only abbreviated instructions and don't include some relevant
  details.  If possible, please study and follow the more comprehensive
  instructions available at:

      http://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt
      http://www.openafs.org/pages/security/how-to-rekey.txt

  linked from <http://www.openafs.org/security/>.

 -- Russ Allbery <rra@debian.org>  Wed, 24 Jul 2013 12:08:46 -0700

openafs (1.4.4.dfsg1-4) unstable; urgency=low

  The files previously located in /etc/openafs/server-local have been
  moved to /var/lib/openafs/local.  The OpenAFS fileserver and bosserver
  write files to this directory on startup which are not configuration
  files and therefore, per the File Hierarchy Standard, should not be in
  /etc.  Any sysid, sysid.old, NetInfo, and NetRestrict files in
  /etc/openafs/server-local have been copied to /var/lib/openafs/local.

  upserver and upclient have moved to /usr/lib/openafs (from /usr/sbin) to
  match the other programs intended to be run by the bosserver and to
  match upstream's layout.  If you're running upserver or upclient from
  bosserver, BosConfig has been updated with the new path, but the
  services have not been restarted.

  At your convenience, you should restart your servers with:

      bos restart -all -bosserver

  so that the running servers will look at the new locations.  After doing
  so, you may remove /etc/openafs/server-local if you wish.

 -- Russ Allbery <rra@debian.org>  Tue, 19 Jun 2007 03:51:58 -0700