commit 5ce1027906d901555ee6dbfb14a49cf68a0e9b7c
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Tue Mar 15 21:54:33 2016 -0500

    Make OpenAFS 1.6.17
    
    Update version strings for release 1.6.17.
    
    Change-Id: I5872643935f2c195b938e9cd94e7b0d7b81906fa

commit 0261b673677cbc7136730c6ca51646f0126c56aa
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Tue Mar 15 21:52:40 2016 -0500

    Update NEWS for 1.6.17
    
    Release notes for OpenAFS 1.6.17
    
    Change-Id: I47281bcdb6074a5ab6ba493abf86c1efb2227674

commit becf282ecf9bec3f266d4f8403c1e93d22ab455a
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Mon Mar 14 23:15:20 2016 -0500

    OPENAFS-SA-2016-002 ListAddrByAttributes information leak
    
    The ListAddrByAttributes structure is used as an input to the GetAddrsU
    RPC; it contains a Mask field that controls which of the other fields
    will actually be read by the server during the RPC processing.
    Unfortunately, the client only wrote to the fields indicated by the
    mask, leaving the other fields uninitialized for transmission on the
    wire, leaking some contents of client memory.
    
    Plug the information leak by zeroing the entire structure before use.
    
    FIXES 132847
    
    Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e

commit 5c4afd5558efcd54152d0be4d56c90e4c6860ef9
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Mon Mar 14 23:15:20 2016 -0500

    OPENAFS-SA-2016-002 VldbListByAttributes information leak
    
    The VldbListByAttributes structure is used as an input to several
    RPCs; it contains a Mask field that controls
    which of the other fields will actually be read by the server
    during the RPC processing.  Unfortunately, the client only
    wrote to the fields indicated by the mask, leaving the other
    fields uninitialized for transmission on the wire, leaking
    some contents of client memory.
    
    Plug the information leak by zeroing the entire structure before use.
    
    FIXES 132847
    
    Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e

commit 3ed975016290f916047fe2ac04303ee393e18a7a
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Mon Mar 14 23:15:20 2016 -0500

    OPENAFS-SA-2016-002 AFSStoreVolumeStatus information leak
    
    The AFSStoreVolumeStatus structure is used as an input to the
    RXAFS_SetVolumeStatus RPC; it contains a Mask field that controls
    which of the other fields will actually be read by the server
    during the RPC processing.  Unfortunately, the client only
    wrote to the fields indicated by the mask, leaving the other
    fields uninitialized for transmission on the wire, leaking
    some contents of kernel memory.
    
    Plug the information leak by zeroing the entire structure before use.
    
    FIXES 132847
    
    Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e

commit 90cb77f975244c77ef929be723e5b871247cbe9d
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Sun Mar 13 12:56:24 2016 -0500

    OPENAFS-SA-2016-002 AFSStoreStatus information leak
    
    Marc Dionne reported that portions of the AFSStoreStatus structure
    were not written to before being sent over the network for
    operations such as create, symlink, etc., leaking the contents
    of the kernel stack to observers.  Which fields in the request
    are used are controlled by a flags field, and so if a field was
    not going to be used by the server, it was sometimes left
    uninitialized.
    
    Fix the information leak by zeroing out the structure before use.
    
    FIXES 132847
    
    Change-Id: Iebcac04d1ff70df06d054ddb3b886ab422fb2a14

commit 396240cf070a806b91fea81131d034e1399af1e0
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Wed Mar 9 19:30:20 2016 -0600

    OPENAFS-SA-2016-001 group creation by foreign users
    
    CVE-2016-2860:
    
    The ptserver permits foreign-cell users to create groups as if they were
    system:administrators.  In particular, groups in the user namespace
    (with no colon) and the system: namespace can be created.  No group
    quota is enforced for the creation of these groups, but they will be
    owned by system:administrators and cannot be changed by the user that
    created them.  When processing requests from foreign users, the
    creator ID is overwritten with the ID of system:administrators, and
    that field is later used for access control checks in
    CorrectGroupName(), called from CreateEntry().
    
    The access-control bypass is not possible for creating user entries,
    since there is an early check in CreateOK() that only permits
    administrators to create users, using a correct test for whether
    the call is being made by an administrator.
    
    FIXES 132822
    
    [Based on a patch by Jeffrey Altman.]
    
    Change-Id: I77dcf4a2f7d9c770c805a649f2ddc6bee5f83389

commit be42de4f4f335b86defdac16a491c3b04219f212
Author: Brian Torbich <btorbich@gmail.com>
Date:   Thu Jan 21 10:08:27 2016 -0500

    redhat: Correct permissions on systemd unit files
    
    Change the systemd unit file permissions created via
    openafs.spec to be 0644 instead of 0755.  Having the
    systemd unit files be executable will trigger a systemd
    warning.
    
    FIXES 132662
    
    Reviewed-on: http://gerrit.openafs.org/12174
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    (cherry picked from commit a4c4b786059ac7d5f9ecc5ec07727f000b62c13f)
    
    Change-Id: I0ad33a93c963b7a2d242b43b7d94e2e3f5041e8d
    Reviewed-on: http://gerrit.openafs.org/12196
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

commit e42c91172ac392cb6c1e75dbed30422245555e6c
Author: Michael Meffie <mmeffie@sinenomine.net>
Date:   Mon Feb 8 12:12:22 2016 -0500

    CellServDB update 01 Jan 2016
    
    Update all remaining copies of CellServDB in the tree, and make the
    Red Hat packaging use it by default too.
    
    [mmeffie@sinenomine.net: 1.6.x specific change; also update the debian
    packaging.]
    
    Reviewed-on: http://gerrit.openafs.org/12187
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    (cherry picked from commit 378eae1d534d61d357a0ad681b57b5e203f814ad)
    
    Change-Id: I5f3c8a03fac30e4da6d26ce7f65529e9f048f6b8
    Reviewed-on: http://gerrit.openafs.org/12188
    Reviewed-by: Chas Williams <3chas3@gmail.com>
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

commit 9cf75ab6dd388c6bdf7f6550db0759278d5bfbf1
Author: Stephan Wiesand <stephan.wiesand@desy.de>
Date:   Mon Jun 22 10:44:11 2015 +0200

    redhat: Avoid bogus dependencies when building the srpm
    
    By default the spec defines that both userland and kernel module
    packages should be built. This results in a dependency of the form
    "kernel-devel-`uname -m` = `uname -r`" being added to the source
    package created by makesrpm.pl, which is bogus because the uname
    values are from the system on which the srpm is built and needn't
    apply to the system where it is used. While rpm and rpmbuild ignore
    such dependencies of source packages, other tools don't and may fail.
    
    Some versions of rpmbuild will also enforce those requirements when
    building the srpm itself, which is pointless too.
    
    Avoid both problems by pretending not to attempt building modules
    and ignoring any dependencies when makesrpm.pl invokes rpmbuild -bs.
    
    Reviewed-on: http://gerrit.openafs.org/11903
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
    Tested-by: Stephan Wiesand <stephan.wiesand@desy.de>
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    (cherry picked from commit 9ee5fa152b7b7de6a6ddc6ed87bbf9f76da6e3e4)
    
    Change-Id: I76aac20b8dcad2105f8d20a3e169b2f5526ef956
    Reviewed-on: http://gerrit.openafs.org/12195
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
    Tested-by: Stephan Wiesand <stephan.wiesand@desy.de>

commit 50ae4225500d255b1f05de5ca8c763383fe178fe
Author: Mark Vitale <mvitale@sinenomine.net>
Date:   Mon Feb 9 18:16:16 2015 -0500

    pioctl.c: restore required result variable
    
    Commit b9fb9c62a6779aa997259ddf2a83a90b08e04d5f refactored lpioctl()
    so that LINUX would have its own implementation. This also simplified
    the other lpioctl() implementations by removing superfluous variable
    'rval'.
    
    Unfortunately, 'rval' was actually required for both DARWIN and SUN511.
    On both of these platforms, the address of 'errcode' is passed
    to the respective ioctl_*() routine so its value may be passed back
    to lpioctl().   Therefore, 'errcode' must not also be used for the
    return value from these functions;  doing so results in the return
    value from the function overwriting the intended value of 'errcode' upon
    return to lpioctl().
    
    In the case of Solaris 11, ioctl_sun_afs_syscall() always returns zero
    (as long as the ioctl device 'dev/afs' opened successfully).
    So 'errcode' was always being set to zero, even if the pioctl had
    actually failed.  For example, without this fix, 'fs listcells'
    loops forever on Solaris 11, listing an infinite number of "cells",
    because it will never "see" the EDOM that informs it of the last defined
    cell.
    
    Partially revert b9fb9c62a6779aa997259ddf2a83a90b08e04d5f by restoring
    the 'rval' variable and logic for DARWIN and SUN511.
    
    Reviewed-on: http://gerrit.openafs.org/11734
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
    Reviewed-by: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
    Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
    (cherry picked from commit 7ae8e64d1ee79c23da96c326111fdc40015ed5a6)
    
    Change-Id: I6a4b8817f02522144b3adbbae06b3737e6c62585
    Reviewed-on: http://gerrit.openafs.org/11795
    Reviewed-by: Daria Phoebe Brashear <shadow@your-file-system.com>
    Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

commit 6f5dc12bb278998049943c429ebafb5ec840033b
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Thu Feb 6 16:11:49 2014 -0500

    pioctl.c: removed unused variable
    
    The 'rval' variable is only actually used in the LINUX20 case;
    adding another conditional block is making the LINUX20 case
    different enough that it should get split out entirely.
    Doing so lets the 'else' clause be simpler.
    
    Found by clang on FreeBSD 10.0.
    
    Reviewed-on: http://gerrit.openafs.org/10819
    Tested-by: Benjamin Kaduk <kaduk@mit.edu>
    Reviewed-by: Perry Ruiter <pruiter@sinenomine.net>
    Reviewed-by: D Brashear <shadow@your-file-system.com>
    (cherry picked from commit b9fb9c62a6779aa997259ddf2a83a90b08e04d5f)
    
    Change-Id: I47f781bc13d54ad5a1b34365fcb9680793b206d1
    Reviewed-on: http://gerrit.openafs.org/11778
    Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

commit 4c17087b8d9f8bd2ad34f308c1208443d60f4e3e
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Thu Feb 6 17:27:28 2014 -0500

    fstrace: only declare 'rval' when it is used
    
    ... to avoid compiler warnings about unused variables.
    
    Found by clang on FreeBSD 10.0.
    
    Reviewed-on: http://gerrit.openafs.org/10822
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Perry Ruiter <pruiter@sinenomine.net>
    Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
    (cherry picked from commit 63291be2216762dd89072f41c9a016608b736ceb)
    
    Change-Id: Ib5d7e14d6077ec2377180b9308d99f49ff79cccc
    Reviewed-on: http://gerrit.openafs.org/11777
    Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

commit 84f1d7f21dc4195d7c8476988c532d62b7bf65c5
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Thu Feb 6 17:01:19 2014 -0500

    FBSD: Switch the dummy 'data' for mount(2)
    
    The mount(2) API takes a void*, but 'rn' is const char*, which
    is const-incorrect.  Our vfs_cmount implementation ignores the 'data'
    parameter, but upstream's kernel mount(2) implementation did
    have a NULL check until r158611 (in the 6.1 or 7.0 timeframe),
    so leave that comment for now.
    
    Arguably we should be using nmount(2) instead of mount(2) anyway,
    but leave that for a separate patch.
    
    Reviewed-on: http://gerrit.openafs.org/10821
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
    (cherry picked from commit 53d7145416c0a6bafa7ecccd113178fc4af04f8f)
    
    Change-Id: Id8ab9ec946a8eee7c73cf234f35e7d12a65f6d84
    Reviewed-on: http://gerrit.openafs.org/11776
    Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

commit 53ef9aa938c604c2c147ad64f649d3c8fc63b548
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Thu Feb 6 15:52:42 2014 -0500

    Remove unneeded inclusion of <sys/timeb.h>
    
    This file is deprecated on FreeBSD, and is not used anywhere.
    
    Reviewed-on: http://gerrit.openafs.org/10817
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
    (cherry picked from commit add4b8100e9b9624b6e03fa7d471367720ab062e)
    
    Change-Id: I06dfd8f90f2e8e4b2ca38692cbc4aa90dcdffe13
    Reviewed-on: http://gerrit.openafs.org/11775
    Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

commit 5f05961c88d9e819312314b0e7be7bc67a47b6c6
Author: Michael Meffie <mmeffie@sinenomine.net>
Date:   Thu Jan 7 14:15:53 2016 -0500

    Linux: Fix crash when the afs root volume is not found
    
    Commit 602130f1de65eefeb4e31e114070d544eb9edd40 changed the allocation of the
    backing device info to directly use the kernel memory allocator. Unfortunately,
    one of the deallocations was not converted to the kernel memory deallocator
    in the backport to the 1.6.x branch.
    
    The code path is triggered when the afs root volume is not found (for example,
    not -dynroot and the root.afs volume is not available.) This causes the system
    to crash instead of just failing to mount /afs.
    
    This is a 1.6.x change only. This bug was introduced in version 1.6.14.1.
    
    FIXES 132653
    
    Change-Id: Ifc991be5f914b4a4e1a797b7e2178dc03436b8e6
    Reviewed-on: http://gerrit.openafs.org/12166
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    Reviewed-by: Chas Williams <3chas3@gmail.com>
    Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
