Update NEWS for 1.6.24

Release notes for the OpenAFS 1.6.24 security release.

Change-Id: Id12988da9e71dc338bf259d4ac32ceaa6da70197

NEWS

@@ -1,5 +1,32 @@
                        User-Visible OpenAFS Changes
 
+OpenAFS 1.6.24
+
+All platforms
+
+    * Fix OPENAFS-SA-2019-001: information leakage in failed RPC output
+      Generated RPC handler routines ran output variables through XDR encoding
+      even when the call had failed and would shortly be aborted (and for
+      which uninitialized output variables is common); any complete packets
+      assembled in the process would be sent to the peer, leaking the contents
+      of the uninitialized memory in question.
+
+    * Fix OPENAFS-SA-2019-002: information leakage from uninitialized scalars
+      Generated RPC handler routines did not initialize output variables of
+      scalar (fixed-length) type, since they did not require dedicated logic to
+      free.  Such variables allocated on the stack could remain uninitialized
+      in some cases (including those affected by OPENAFS-SA-2019-001), and the
+      contents of uninitialized memory would be returned to the peer.
+
+All server platforms
+
+    * Fix OPENAFS-SA-2019-003: fix crash in database servers
+      The ubik debugging RPCs prioritize being fast and non-disruptive to
+      database operations over strict correctness, and do not adhere to the
+      usual locking protocol for data access.  A data race could cause a NULL
+      dereference if the second memory load was not optimized out by the
+      compiler.
+
 OpenAFS 1.6.23
 
   All platforms