On 4 Jul 2007, at 20:00, Greig Alan Cowan wrote:
> Some comments on the minutes:
>
> 1. Quick site upgrade status
>
> Deploying the DPM security patch - getting urgent: According to the
> mysteriously vanishing email from Kostas (Jens hadn't received it
> but everybody else had), the GridFTP server fix does not fix the
> problem. It is now necessary to put it back into the loop,
> involving the EGEE vulnerabilities group properly, this time.
>
> ACTION Graeme - follow up, Jens follow up with Linda Cornwall.
>
> We now have some more information on this. Will feed this back soon.
Update and some further feedback:
0. You must remember to restart the dpm-gsiftp service after updating
the RPM - the RPM update does not do this for you! (This one got me
at Glasgow.)
1. The vulnerabilities seem to be fixed for people mapped to normal
pool accounts by the gridftp server (e.g., dteamNNN).
2. The vulnerabilities still seem to be present for people mapped to
"special" accounts, such as *sgm accounts (of which Kostas, it turns
out, is one).
GSVG are tracking this and we've exchanged several emails with J-P B
today.
It is important to upgrade to 1.6.5 because this cuts down the number
of people who can execute the exploit from ~3800 to ~800 (at least
for Glasgow's supported VO set).
g
--
Dr Graeme Stewart - http://wiki.gridpp.ac.uk/wiki/User:Graeme_stewart
ScotGrid - http://www.scotgrid.ac.uk/ http://scotgrid.blogspot.com/
|