On Fri, Aug 29, 2025 at 07:47:10PM +0200, Thorsten Alteholz wrote: > Hi Jose, > > On 29.08.25 18:28, Jose M Calhariz wrote: > > Just found out, the latest security update for Debian v11, breaks command > > bos. > > > > Any attempt to run "bos status <server>" returns: > > > > bos: running unauthenticated > > bos: failed to contact host's bosserver (RPC interface mismatch (-451)). > > can you please tell me more about your cell? What version is your bosserver > running? Are there clients/server in the cell, that are still vulnerable to > CVE-2024-10397? > I assume that this newly added check: > tconfig.cacheConfig_len != sizeof(cm_initparams_v1)/sizeof(afs_uint32) > > in src/libadmin/adminutil/afs_utilAdmin:util_CMClientConfig() is failing. > Probably your server and client disagree on the size of some structs.
I do not think that specific check would be relevant here -- the libadmin code is mostly unused in terms of the actual binaries that we ship. I would be looking more closely at the xdr_string() change in src/rx/xdr.c (note the commit message there specifically refers to several callsites in bos.c that rely on the behavior of functions that make use of xdr_string()). The "OPENAFS-SA-2024-003: xdr: Prevent XDR_DECODE buffer overruns" change is also touching some potentially relevant code, as does "OPENAFS-SA-2024-003: xdr: Ensure correct string length in xdr_string". So more information about the cell would be helpful in trying to track down what is happening. -Ben
