Hi *,

Please note this announcement of a security patch. This corrects a
vulnerability which affects the *-proxy-init commands, and potentially
allows the theft of proxies. The vulnerability is already in the public
domain, announced by Globus, and sites should therefore regard it as an
urgent upgrade. This affects the UI clients, which may be installed on
machines which are not otherwise regarded as grid nodes, so make sure
you upgrade all instances. The clients can also be installed in user
space, so pass this on to your users in case they have their own copies.

Stephen


-----Original Message-----
From: EGEE BROADCAST [mailto:[log in to unmask]] 
Sent: 05 September 2006 10:58
To: [log in to unmask]
Subject: Security Update to gLite 3.0 and LCG-2_7_0


This email has been sent in copy mode 
 From : [log in to unmask] 
 Cc : [log in to unmask] 
------------------------------------------------------------------------
------------
Publication from : Oliver Keeble 9443 <[log in to unmask]> (CERN)
This mail has been sent using the broadcasting tool available at
http://cic.in2p3.fr
------------------------------------------------------------------------
------------

A new set of updates to gLite 3.0 and LCG-2_7_0 has been released to
address a security issue.

The UIs are particularly impacted by this vulnerability and should
receive
the fixed packages as a priority.

The full text of the advisory is included here, and is available on the
gLite updates page;

http://glite.web.cern.ch/glite/packages/R3.0/updates.asp

**********************************************

Proxy Generation Tool Insecure Temporary File Handling Vulnerability

2006/09/05

-- Affected Software:
gLite 3.0, LCG 2.7.0 and prior versions

-- Affected Components:
  vdt_globus_essentials-VDT1.2.2rh9_LCG-1.i386.rpm
  vdt_globus_essentials-VDT1.2.2rh9-1.i386.rpm
  vdt_globus_sdk-VDT1.2.2rh9-1.i386.rpm
  vdt_globus_essentials-VDT1.2.5ia64_slc3-4.ia64.rpm
  vdt_globus_sdk-VDT1.2.5ia64_slc3-4.ia64.rpm
  glite-security-voms-clients-1.6.10-0.i386.rpm
  glite-security-voms-clients-1.6.16-1.i386.rpm
  glite-security-voms-clients-1.6.19-0.ia64.rpm
  voms-client_gcc3_2_2-1.5.4-1_sl3.i386.rpm
  voms-client-1.5.4-1_sl3.ia64.rpm

Previous versions of the above rpms are also affected

-- Reference 
gLite and LCG are using VDT 1.2.x, VOMS 1.5.4 and VOMS 1.6.x, which
suffer
from issues relating to the following flaw reported by Globus:
http://www-unix.globus.org/mail_archive/security-announce/2006/08/msg000
02.html


-- Vulnerability details
voms-proxy-init, grid-proxy-init, myproxy-init are used to create proxy
certificates to authenticate against Grid services. The current versions
are affected by flaws caused by an insecure handling of temporary files
during the generation of the proxy certificates. Consequently, under
some
circumstances, a local attacker could create carefully crafted files, in
order to obtain the newly generated Grid proxy certificates of other
users
or to cause an arbitrary file writable for the user to be overwritten.

-- Grid Security Vulnerability Group Response 
The Grid Security Vulnerability Group strongly recommends that all sites
upgrade the relevant components to the following versions BEFORE
2006/09/19. 

-- Installation Notes
The UIs are particularly impacted by this vulnerability and should
receive
the fixed packages as a priority.

The glite 3.0 nodes affected are
glite-CE
glite-FTA_mysql 
glite-FTA_oracle
glite-FTS_mysql 
glite-FTS_oracle
glite-LB
glite-LFC_mysql 
glite-LFC_oracle
glite-MON
glite-MON_e2emonit
glite-PX
glite-SE_classic
glite-SE_dcache
glite-SE_dcache_gdbm
glite-SE_dpm_disk   
glite-SE_dpm_mysql 
glite-SE_dpm_oracle
glite-UI
glite-VOBOX
glite-VOMS_mysql
glite-VOMS_oracle
glite-WMS
glite-WMSLB
glite-WN   
lcg-CE  
lcg-CE_torque
lcg-RB

The appropriate middleware repositories have been updated, and 
there is no reconfiguration required, but you should run ldconfig after 
installing the LCG-2_7_0 updates. The updates are as follows;

GLITE 3.0 on i386

http://glitesoft.cern.ch/EGEE/gLite/APT/R3.0/rhel30/RPMS.updates/  
http://glitesoft.cern.ch/EGEE/gLite/APT/R3.0/rhel30/RPMS.externals/

glite-security-voms-clients-1.6.16-2.rpm
voms-client_gcc3_2_2-1.5.4-2_sl3.i386.rpm

vdt_globus_essentials-VDT1.2.2rh9_LCG-2.i386.rpm
vdt_globus_sdk-VDT1.2.2rh9_LCG-2.i386.rpm

A new version, 3.0.4, of the relocatable tarball is also available.

http://glite.web.cern.ch/glite/packages/R3.0/R20060829_3_0_3/bin/rhel30/
i386/tgz/glite-UI_WN-3.0.4.tar.gz

LCG-2_7_0 on i386
http://grid-deployment.web.cern.ch/grid-deployment/gis/apt/LCG-2_7_0/sl3
/en/i38$

glite-security-voms-clients-1.6.16-2.rpm
glite-security-voms-api-cpp-1.6.16-4.i386.rpm
glite-security-voms-api-c-1.6.16-4.i386.rpm
glite-security-voms-api-1.6.16-3.i386.rpm
voms-client_gcc3_2_2-1.5.4-2_sl3.i386.rpm

vdt_globus_essentials-VDT1.2.2rh9_LCG-2.i386.rpm
vdt_globus_sdk-VDT1.2.2rh9_LCG-2.i386.rpm

You should run \'ldconfig\' after installing these updates.

LCG-2_7_0 on ia64

http://grid-deployment.web.cern.ch/grid-deployment/RpmDir_ia64-sl3/

vdt_globus_essentials-VDT1.2.5ia64_slc3_LCG-2.ia64.rpm
vdt_globus_sdk-VDT1.2.5ia64_slc3_LCG-2.ia64.rpm
voms-client-1.5.4-2_sl3.ia64.rpm

An update to the voms-client-1.6 series on ia64 will be released when 
available.

In the meantime we recommend

chmod 0 $GLITE_LOCATION/bin/voms-proxy-init

on any ia64 UIs.

Remember to report any issues with this set of updates using GGUS;

http://www.ggus.org

-- Further documentation
This advisory is available at the following URL;

http://glite.web.cern.ch/glite/packages/R3.0/updates.asp

-- Credit
This vulnerability was initially reported to Globus by Benjamin Bennett
(Pittsburgh Supercomputing Center).

-- Disclosure Timeline

2006-08-15    Vulnerability announced by Globus
2006-08-16    Initial response from the Grid Security Vulnerability
Group
2006-08-16    Initial response from the VOMS developers
2006-08-18    Initial response from the VDT developers
2006-08-25    First updated sources received by the integration team
2006-08-29    All updated sources received by the integration team
2006-09-01    Updated LCG and gLite packages available
2006-09-04    Certification and release preparation completed
2006-09-05    Public disclosure
************************************************************************