Hi
Are there any sites NOT considering to upgrade to 1.6.X? It would
certainly be better to deal with this upgrade before the holiday season
starts so that you have a clear run at SL4 WNs afterwards!
Jeremy
> -----Original Message-----
> From: Greig Alan Cowan [mailto:[log in to unmask]]
> Sent: 03 July 2007 08:38
> To: gridpp storage
> Cc: GridPP Dteam
> Subject: Re: [Fwd: [HEPMAN-LCG] gLite 3.0 SECURITY PATCH. Priority:
> **URGENT**]
>
> The DPM developers have replied and have stated that they do not
advise
> running the 1.6.5-3 gridftp server while not upgrading the remaining
> components of the DPM from 1.5.10. Their advice for sites running
1.5.10
> is to upgrade the entire DPM install to the production release.
>
> That being said, they are currently preparing an rpm for the 1.5.10
> griftp server that contains the security fix. This will allow sites to
> quickly deploy the fix if they don't have enough time to upgrade the
> entire DPM.
>
> Site should be aware that they will still need to completely upgrade
> their DPM to 1.6.X if they haven't already done so. 1.6.X gives the
> SRM2.2 endpoint that will soon be essential for participating in WLCG.
>
> Greig
>
> Greig Alan Cowan wrote:
> > All sites running v1.6.X of DPM should upgrade as soon as possible.
Only
> > the gridftp server has to be upgraded.
> >
> > For sites on v1.5.10 it *might* be possible to run the upgraded
gridftp
> > server with the remaining components on 1.5.10. This will allow the
> > security patch to be deployed quickly while postponing the need for
a
> > complete upgrade to 1.6.X (which has some complications if you are
still
> > on 1.5.10). I am currently investigating this possibility.
> >
> > Cheers,
> > Greig
> >
> >
> > Alessandra Forti wrote:
> >> TO ALL DPM SITES.
> >>
> >> -------- Original Message --------
> >> Subject: [HEPMAN-LCG] gLite 3.0 SECURITY PATCH. Priority:
**URGENT**
> >> Date: Mon, 2 Jul 2007 18:05:26 +0200
> >> From: EGEE BROADCAST <[log in to unmask]>
> >> To: [log in to unmask], [log in to unmask],
> >>
> >>
> >>
-----------------------------------------------------------------------
> -------------
> >>
> >>
> >> Publication from : Nick Thackray <[log in to unmask]> (CERN)
> >>
> >> This mail has been sent using the broadcasting tool available at
> >> http://cic.gridops.org
> >>
> >>
-----------------------------------------------------------------------
> -------------
> >>
> >>
> >> Dear Site Admins and Security Contacts,
> >>
> >>
> >> DPM-gridftp-server is currently affected by a security flaw.
> >> Updated packages have been released and all affected sites are
invited
> >> to upgrade immediately.
> >>
> >> <<< NOTE: THE UPDATED PACKAGES WILL BE AVAILABLE FROM 18:45 SWISS
> >> LOCAL TIME [16:45 UTC] TODAY (2 July) >>>
> >>
> >>
> >> Romain Wartel
> >> EGEE Operational Security Coordination
> >>
> >>
> >>
> >>
> >> ************************************************
> >> *** ADVISORY NOTES ***
> >> ************************************************
> >>
> >> DPM-gridftp-server Incorrect credentials propagation
> >>
> >> Operational Security Coordination Team Advisory
> >>
> >> -- Date: 2007-07-02
> >>
> >> -- Background
> >>
> >> The Disk Pool Manager (DPM) has been developed as a lightweight
> >> solution for disk storage management. The DPM offers a modified
> >> version of the Globus gridftp daemon for data access, among many
other
> >> protocols.
> >>
> >> -- Affected Software
> >> LCG <= 2.7.x, gLite <= 3.0.x.
> >>
> >> gLite 3.1.x is not affected.
> >>
> >> -- Affected Components
> >> All versions of the DPM-gridftp-server package are affected.
> >>
> >> DPM servers running with VDT 1.6 or later are not affected, because
> >> they are using a different gridftp implementation from Globus
Toolkit
> >> 4, interfaced to DPM via a plug-in interface. This comes with the
> >> package 'DPM-DSI', instead of the above mentioned
'DPM-gridftp-server'.
> >>
> >> For gLite 3.x the affected meta-package are:
> >>
> >> glite-SE_dpm_disk
> >> glite-SE_dpm_mysql
> >> glite-SE_dpm_oracle
> >>
> >> Sites running LCG 2.x are asked to upgrade their DPM-gridftp-server
to
> >> gLite.
> >>
> >> -- Vulnerability Details
> >>
> >> The DPM gridftp server is handling the credentials of authenticated
> >> users to manage permissions on the files. Unfortunately, it appears
> >> that under some circumstances, the credentials are not correctly
> >> propagated.
> >>
> >> As a result, it is possible for a malicious user who successfully
> >> authenticated against the DPM gridftp service to manipulate any
file
> >> accessible by the service, including reading, writing, deleting and
> >> changing the permissions of the affected files and directories.
> >>
> >> -- Further documentation
> >> This advisory is also available at the following URL:
> >>
> >> http://glite.org/glite/packages/R3.0/updates.asp
> >>
> >> -- Installation Notes
> >> The following rpms have been made available;
> >>
> >> DPM-gridftp-server-1.6.5-3sec.i386.rpm
> >>
> >> It is possible to upgrade the 'DPM-gridftp-server' component only
> >> (without upgrading the rest of the DPM components) from any version
> >> including 1.6.0 to 1.6.5-2.
> >>
> >> If the upgrade is not feasible, then we recommend stopping the DPM
> >> gridftp service and contacting the developers for the possibility
of a
> >> custom upgrade path:
> >>
> >> /sbin/service dpm-gsiftp stop
> >> /sbin/chkconfig --del dpm-gsiftp
> >>
> >> They are available in the appropriate repositories for each
> distribution.
> >>
> >> http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
> >>
> >> -- Credit
> >> This vulnerability has been discovered by Kostas Georgiou.
> >>
> >> -- Disclosure Timeline
> >> 2007-06-19 Vulnerability reported to the LFC/DPM developers
> >> 2007-06-19 Initial response from the LFC/DPM developers
> >> 2007-06-26 Updated packages ready for certification and testing
> >> 2007-07-02 OSCT notified of the vulnerability
> >> 2007-07-02 Updated packages certified
> >> 2007-07-02 Release preparation completed
> >> 2007-07-02 Updated LCG and gLite packages available
> >> 2007-07-02 Public disclosure
> >> 2007-07-02 Site Admins and LCG Security Contacts notified
> >>
> >> -- References
> >>
> >> The details of the vulnerability and the update can be found here:
> >>
> >> http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
> >>
> >> For more detailed information including fixed bugs, updated RPMs,
> >> configuration changes and how to deploy, please go to the 'Details'
> >> link next to each service on the 'Updates' web page.
> >>
> >> All issues found with this update should be reported using GGUS:
> >> www.ggus.org
> >>
> >>
> >> _______________________________________________
> >> Hepman-lcg mailing list
> >> [log in to unmask]
> >> http://lists.manchester.ac.uk/mailman/listinfo/hepman-lcg
> >>
|