Did you cotact them directly or did you send the request to the storage
mailing list?
cheers
alessandra
Greig Alan Cowan wrote:
>
> Jeremy,
>
> I think some sites are busy with experimental work at the moment. Once
> this is finished they intend to upgrade.
>
> I've yet to hear anything from Sheffield on this matter, so it would be
> good if Alessandra could get in touch with them and ask them what their
> plans are for upgrade.
>
> Greig
>
> Coles, J (Jeremy) wrote:
>> Hi
>>
>> Are there any sites NOT considering to upgrade to 1.6.X? It would
>> certainly be better to deal with this upgrade before the holiday season
>> starts so that you have a clear run at SL4 WNs afterwards!
>>
>> Jeremy
>>
>>> -----Original Message-----
>>> From: Greig Alan Cowan [mailto:[log in to unmask]]
>>> Sent: 03 July 2007 08:38
>>> To: gridpp storage
>>> Cc: GridPP Dteam
>>> Subject: Re: [Fwd: [HEPMAN-LCG] gLite 3.0 SECURITY PATCH. Priority:
>>> **URGENT**]
>>>
>>> The DPM developers have replied and have stated that they do not
>> advise
>>> running the 1.6.5-3 gridftp server while not upgrading the remaining
>>> components of the DPM from 1.5.10. Their advice for sites running
>> 1.5.10
>>> is to upgrade the entire DPM install to the production release.
>>>
>>> That being said, they are currently preparing an rpm for the 1.5.10
>>> griftp server that contains the security fix. This will allow sites to
>>> quickly deploy the fix if they don't have enough time to upgrade the
>>> entire DPM.
>>>
>>> Site should be aware that they will still need to completely upgrade
>>> their DPM to 1.6.X if they haven't already done so. 1.6.X gives the
>>> SRM2.2 endpoint that will soon be essential for participating in WLCG.
>>>
>>> Greig
>>>
>>> Greig Alan Cowan wrote:
>>>> All sites running v1.6.X of DPM should upgrade as soon as possible.
>> Only
>>>> the gridftp server has to be upgraded.
>>>>
>>>> For sites on v1.5.10 it *might* be possible to run the upgraded
>> gridftp
>>>> server with the remaining components on 1.5.10. This will allow the
>>>> security patch to be deployed quickly while postponing the need for
>> a
>>>> complete upgrade to 1.6.X (which has some complications if you are
>> still
>>>> on 1.5.10). I am currently investigating this possibility.
>>>>
>>>> Cheers,
>>>> Greig
>>>>
>>>>
>>>> Alessandra Forti wrote:
>>>>> TO ALL DPM SITES.
>>>>>
>>>>> -------- Original Message --------
>>>>> Subject: [HEPMAN-LCG] gLite 3.0 SECURITY PATCH. Priority:
>> **URGENT**
>>>>> Date: Mon, 2 Jul 2007 18:05:26 +0200
>>>>> From: EGEE BROADCAST <[log in to unmask]>
>>>>> To: [log in to unmask], [log in to unmask],
>>>>>
>>>>>
>>>>>
>> -----------------------------------------------------------------------
>>> -------------
>>>>>
>>>>> Publication from : Nick Thackray <[log in to unmask]> (CERN)
>>>>>
>>>>> This mail has been sent using the broadcasting tool available at
>>>>> http://cic.gridops.org
>>>>>
>>>>>
>> -----------------------------------------------------------------------
>>> -------------
>>>>>
>>>>> Dear Site Admins and Security Contacts,
>>>>>
>>>>>
>>>>> DPM-gridftp-server is currently affected by a security flaw.
>>>>> Updated packages have been released and all affected sites are
>> invited
>>>>> to upgrade immediately.
>>>>>
>>>>> <<< NOTE: THE UPDATED PACKAGES WILL BE AVAILABLE FROM 18:45 SWISS
>>>>> LOCAL TIME [16:45 UTC] TODAY (2 July) >>>
>>>>>
>>>>>
>>>>> Romain Wartel
>>>>> EGEE Operational Security Coordination
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ************************************************
>>>>> *** ADVISORY NOTES ***
>>>>> ************************************************
>>>>>
>>>>> DPM-gridftp-server Incorrect credentials propagation
>>>>>
>>>>> Operational Security Coordination Team Advisory
>>>>>
>>>>> -- Date: 2007-07-02
>>>>>
>>>>> -- Background
>>>>>
>>>>> The Disk Pool Manager (DPM) has been developed as a lightweight
>>>>> solution for disk storage management. The DPM offers a modified
>>>>> version of the Globus gridftp daemon for data access, among many
>> other
>>>>> protocols.
>>>>>
>>>>> -- Affected Software
>>>>> LCG <= 2.7.x, gLite <= 3.0.x.
>>>>>
>>>>> gLite 3.1.x is not affected.
>>>>>
>>>>> -- Affected Components
>>>>> All versions of the DPM-gridftp-server package are affected.
>>>>>
>>>>> DPM servers running with VDT 1.6 or later are not affected, because
>>>>> they are using a different gridftp implementation from Globus
>> Toolkit
>>>>> 4, interfaced to DPM via a plug-in interface. This comes with the
>>>>> package 'DPM-DSI', instead of the above mentioned
>> 'DPM-gridftp-server'.
>>>>> For gLite 3.x the affected meta-package are:
>>>>>
>>>>> glite-SE_dpm_disk
>>>>> glite-SE_dpm_mysql
>>>>> glite-SE_dpm_oracle
>>>>>
>>>>> Sites running LCG 2.x are asked to upgrade their DPM-gridftp-server
>> to
>>>>> gLite.
>>>>>
>>>>> -- Vulnerability Details
>>>>>
>>>>> The DPM gridftp server is handling the credentials of authenticated
>>>>> users to manage permissions on the files. Unfortunately, it appears
>>>>> that under some circumstances, the credentials are not correctly
>>>>> propagated.
>>>>>
>>>>> As a result, it is possible for a malicious user who successfully
>>>>> authenticated against the DPM gridftp service to manipulate any
>> file
>>>>> accessible by the service, including reading, writing, deleting and
>>>>> changing the permissions of the affected files and directories.
>>>>>
>>>>> -- Further documentation
>>>>> This advisory is also available at the following URL:
>>>>>
>>>>> http://glite.org/glite/packages/R3.0/updates.asp
>>>>>
>>>>> -- Installation Notes
>>>>> The following rpms have been made available;
>>>>>
>>>>> DPM-gridftp-server-1.6.5-3sec.i386.rpm
>>>>>
>>>>> It is possible to upgrade the 'DPM-gridftp-server' component only
>>>>> (without upgrading the rest of the DPM components) from any version
>>>>> including 1.6.0 to 1.6.5-2.
>>>>>
>>>>> If the upgrade is not feasible, then we recommend stopping the DPM
>>>>> gridftp service and contacting the developers for the possibility
>> of a
>>>>> custom upgrade path:
>>>>>
>>>>> /sbin/service dpm-gsiftp stop
>>>>> /sbin/chkconfig --del dpm-gsiftp
>>>>>
>>>>> They are available in the appropriate repositories for each
>>> distribution.
>>>>> http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
>>>>>
>>>>> -- Credit
>>>>> This vulnerability has been discovered by Kostas Georgiou.
>>>>>
>>>>> -- Disclosure Timeline
>>>>> 2007-06-19 Vulnerability reported to the LFC/DPM developers
>>>>> 2007-06-19 Initial response from the LFC/DPM developers
>>>>> 2007-06-26 Updated packages ready for certification and testing
>>>>> 2007-07-02 OSCT notified of the vulnerability
>>>>> 2007-07-02 Updated packages certified
>>>>> 2007-07-02 Release preparation completed
>>>>> 2007-07-02 Updated LCG and gLite packages available
>>>>> 2007-07-02 Public disclosure
>>>>> 2007-07-02 Site Admins and LCG Security Contacts notified
>>>>>
>>>>> -- References
>>>>>
>>>>> The details of the vulnerability and the update can be found here:
>>>>>
>>>>> http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
>>>>>
>>>>> For more detailed information including fixed bugs, updated RPMs,
>>>>> configuration changes and how to deploy, please go to the 'Details'
>>>>> link next to each service on the 'Updates' web page.
>>>>>
>>>>> All issues found with this update should be reported using GGUS:
>>>>> www.ggus.org
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Hepman-lcg mailing list
>>>>> [log in to unmask]
>>>>> http://lists.manchester.ac.uk/mailman/listinfo/hepman-lcg
>>>>>
--
Alessandra Forti
NorthGrid Technical Coordinator
University of Manchester
|