On Tue, Jul 03, 2007 at 12:55:08PM +0200, Valentin Vidic wrote:
> On Tue, Jul 03, 2007 at 12:47:27PM +0300, Kyriakos Ginis wrote:
> > Anyway, does this affect only the lcg-CE as you mentioned in the
> > broadcasted message? What about other nodes that use lcmaps, like the
> > gLite-CE and the classic SE?
>
> It seems this might affect all nodes using old edg-lcmaps (LCMAPS
> v0.0.30) packages:
>
> lcg-CE
> lcg-CE_torque
> glite-VOBOX
> glite-SE_classic
> glite-SE_dpm_disk
> glite-SE_dpm_mysql
> glite-SE_dpm_oracle
>
> Nodes using new glite-security-lcmaps (LCMAPS v1.3.6) should not be
> affected:
>
> glite-CE
> glite-WMS
So this is fixed in glite-security-lcmaps. Isn't it feasible to
backport the fix to the old edg-lcmaps package?
One could argue that this is almost a security bug, since it allows
privilege escalation from plain user to SGM user.
|