All sites running v1.6.X of DPM should upgrade as soon as possible. Only
the gridftp server has to be upgraded.
For sites on v1.5.10 it *might* be possible to run the upgraded gridftp
server with the remaining components on 1.5.10. This will allow the
security patch to be deployed quickly while postponing the need for a
complete upgrade to 1.6.X (which has some complications if you are still
on 1.5.10). I am currently investigating this possibility.
Cheers,
Greig
Alessandra Forti wrote:
> TO ALL DPM SITES.
>
> -------- Original Message --------
> Subject: [HEPMAN-LCG] gLite 3.0 SECURITY PATCH. Priority: **URGENT**
> Date: Mon, 2 Jul 2007 18:05:26 +0200
> From: EGEE BROADCAST <[log in to unmask]>
> To: [log in to unmask], [log in to unmask],
>
>
> ------------------------------------------------------------------------------------
>
>
> Publication from : Nick Thackray <[log in to unmask]> (CERN)
>
> This mail has been sent using the broadcasting tool available at
> http://cic.gridops.org
>
> ------------------------------------------------------------------------------------
>
>
> Dear Site Admins and Security Contacts,
>
>
> DPM-gridftp-server is currently affected by a security flaw.
> Updated packages have been released and all affected sites are invited
> to upgrade immediately.
>
> <<< NOTE: THE UPDATED PACKAGES WILL BE AVAILABLE FROM 18:45 SWISS LOCAL
> TIME [16:45 UTC] TODAY (2 July) >>>
>
>
> Romain Wartel
> EGEE Operational Security Coordination
>
>
>
>
> ************************************************
> *** ADVISORY NOTES ***
> ************************************************
>
> DPM-gridftp-server Incorrect credentials propagation
>
> Operational Security Coordination Team Advisory
>
> -- Date: 2007-07-02
>
> -- Background
>
> The Disk Pool Manager (DPM) has been developed as a lightweight solution
> for disk storage management. The DPM offers a modified version of the
> Globus gridftp daemon for data access, among many other protocols.
>
> -- Affected Software
> LCG <= 2.7.x, gLite <= 3.0.x.
>
> gLite 3.1.x is not affected.
>
> -- Affected Components
> All versions of the DPM-gridftp-server package are affected.
>
> DPM servers running with VDT 1.6 or later are not affected, because they
> are using a different gridftp implementation from Globus Toolkit 4,
> interfaced to DPM via a plug-in interface. This comes with the package
> 'DPM-DSI', instead of the above mentioned 'DPM-gridftp-server'.
>
> For gLite 3.x the affected meta-package are:
>
> glite-SE_dpm_disk
> glite-SE_dpm_mysql
> glite-SE_dpm_oracle
>
> Sites running LCG 2.x are asked to upgrade their DPM-gridftp-server to
> gLite.
>
> -- Vulnerability Details
>
> The DPM gridftp server is handling the credentials of authenticated
> users to manage permissions on the files. Unfortunately, it appears that
> under some circumstances, the credentials are not correctly propagated.
>
> As a result, it is possible for a malicious user who successfully
> authenticated against the DPM gridftp service to manipulate any file
> accessible by the service, including reading, writing, deleting and
> changing the permissions of the affected files and directories.
>
> -- Further documentation
> This advisory is also available at the following URL:
>
> http://glite.org/glite/packages/R3.0/updates.asp
>
> -- Installation Notes
> The following rpms have been made available;
>
> DPM-gridftp-server-1.6.5-3sec.i386.rpm
>
> It is possible to upgrade the 'DPM-gridftp-server' component only
> (without upgrading the rest of the DPM components) from any version
> including 1.6.0 to 1.6.5-2.
>
> If the upgrade is not feasible, then we recommend stopping the DPM
> gridftp service and contacting the developers for the possibility of a
> custom upgrade path:
>
> /sbin/service dpm-gsiftp stop
> /sbin/chkconfig --del dpm-gsiftp
>
> They are available in the appropriate repositories for each distribution.
>
> http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
>
> -- Credit
> This vulnerability has been discovered by Kostas Georgiou.
>
> -- Disclosure Timeline
> 2007-06-19 Vulnerability reported to the LFC/DPM developers
> 2007-06-19 Initial response from the LFC/DPM developers
> 2007-06-26 Updated packages ready for certification and testing
> 2007-07-02 OSCT notified of the vulnerability
> 2007-07-02 Updated packages certified
> 2007-07-02 Release preparation completed
> 2007-07-02 Updated LCG and gLite packages available
> 2007-07-02 Public disclosure
> 2007-07-02 Site Admins and LCG Security Contacts notified
>
> -- References
>
> The details of the vulnerability and the update can be found here:
>
> http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
>
> For more detailed information including fixed bugs, updated RPMs,
> configuration changes and how to deploy, please go to the 'Details' link
> next to each service on the 'Updates' web page.
>
> All issues found with this update should be reported using GGUS:
> www.ggus.org
>
>
> _______________________________________________
> Hepman-lcg mailing list
> [log in to unmask]
> http://lists.manchester.ac.uk/mailman/listinfo/hepman-lcg
>
|