Update to 1.6.5

This is a security release by upstream, and requires configuration changes
in addition to the software update.  See UPDATING.

Reviewed by:	ports-security (zi, remko)
Approved by:	hrs (mentor, ports committer)

4 files changed, 47 insertions, 5 deletions

diff --git a/UPDATING b/UPDATING
index 8e8e2fe1023d..748e7350ce67 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,17 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20130725:
+  AFFECTS: users of net/openafs
+  AUTHOR: bjk@FreeBSD.org
+
+  The OpenAFS 1.6.5 release is a security release which requires substantial
+  configuration changes to the AFS servers in addition to the software update,
+  in order to be fully protected.  The entry for OPENAFS-SA-2013-003 on
+  http://www.openafs.org/security/ has links to the upgrade documentation.
+  The procedure involves rekeying the cell to a non-DES krb5 key, stored in
+  a krb5 keytab named rxkad.keytab in PREFIX/etc/openafs/server/.
+
 20130720:
   AFFECTS: users of japanese/mozc-server and japanese/mozc-el
   AUTHOR: hrs@FreeBSD.org
diff --git a/net/openafs/Makefile b/net/openafs/Makefile
index 9110e7c57e28..811912a0978e 100644
--- a/net/openafs/Makefile
+++ b/net/openafs/Makefile
@@ -21,7 +21,7 @@ LICENSE_NAME=	IBM Public License Version 1.0
 LICENSE_FILE=	${WRKSRC}/doc/LICENSE
 LICENSE_PERMS=	auto-accept
 
-AFS_DISTVERSION=	1.6.4
+AFS_DISTVERSION=	1.6.5
 DBVERSION=	2013-01-28
 
 OPTIONS_DEFINE=	FUSE
diff --git a/net/openafs/distinfo b/net/openafs/distinfo
index a034a02c0f17..0e8a38930e42 100644
--- a/net/openafs/distinfo
+++ b/net/openafs/distinfo
@@ -1,6 +1,6 @@
-SHA256 (openafs-1.6.4-src.tar.bz2) = a724d23c0cf942e2c463487b4ce213db41ac5801c8a8d74d372d5757313224d7
-SIZE (openafs-1.6.4-src.tar.bz2) = 14562800
-SHA256 (openafs-1.6.4-doc.tar.bz2) = e0953c67dc9eee6bb4494d935e4e7ae560332405f670315ecc86c178fde2c93e
-SIZE (openafs-1.6.4-doc.tar.bz2) = 3493373
+SHA256 (openafs-1.6.5-src.tar.bz2) = 176fab2d710d8dcf566f5aa229fd796dd8165561d57590e32790a3034a195ef2
+SIZE (openafs-1.6.5-src.tar.bz2) = 14400420
+SHA256 (openafs-1.6.5-doc.tar.bz2) = 754ce1fd1c3b9026883453d5cde1705452568f4e54e86fbf02a75debf8f57f2f
+SIZE (openafs-1.6.5-doc.tar.bz2) = 3488188
 SHA256 (CellServDB.2013-01-28) = faa755c6e13d8a71182a4036d1cee01bce49fb2a93feb6499683f22049391a17
 SIZE (CellServDB.2013-01-28) = 36787
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 133f6d3cd86c..f7b265f6b05e 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,37 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="c4d412c8-f4d1-11e2-b86c-000c295229d5">
+    <topic>openafs -- single-DES cell-wide key brute force vulnerability</topic>
+    <affects>
+      <package>
+	<name>openafs</name>
+	<range><lt>1.6.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>OpenAFS Project reports:</p>
+	<blockquote cite="http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt">
+	  <p>The small size of the DES key space permits an attacker to brute
+	    force a cell's service key and then forge traffic from any user
+	    within the cell.  The key space search can be performed in under 1
+	    day at a cost of around $100 using publicly available services.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-4134</cvename>
+      <url>http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt</url>
+      <url>http://openafs.org/pages/security/how-to-rekey.txt</url>
+      <url>http://openafs.org/pages/security/install-rxkad-k5-1.6.txt</url>
+    </references>
+    <dates>
+      <discovery>2013-07-24</discovery>
+      <entry>2013-07-25</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="2ae24334-f2e6-11e2-8346-001e8c75030d">
     <topic>subversion -- remotely triggerable "Assertion failed" DoS vulnerability or read overflow.</topic>
     <affects>