TO ALL DPM SITES.
-------- Original Message --------
Subject: [HEPMAN-LCG] gLite 3.0 SECURITY PATCH. Priority: **URGENT**
Date: Mon, 2 Jul 2007 18:05:26 +0200
From: EGEE BROADCAST <[log in to unmask]>
To: [log in to unmask], [log in to unmask],
------------------------------------------------------------------------------------
Publication from : Nick Thackray <[log in to unmask]> (CERN)
This mail has been sent using the broadcasting tool available at
http://cic.gridops.org
------------------------------------------------------------------------------------
Dear Site Admins and Security Contacts,
DPM-gridftp-server is currently affected by a security flaw.
Updated packages have been released and all affected sites are invited
to upgrade immediately.
<<< NOTE: THE UPDATED PACKAGES WILL BE AVAILABLE FROM 18:45 SWISS LOCAL
TIME [16:45 UTC] TODAY (2 July) >>>
Romain Wartel
EGEE Operational Security Coordination
************************************************
*** ADVISORY NOTES ***
************************************************
DPM-gridftp-server Incorrect credentials propagation
Operational Security Coordination Team Advisory
-- Date: 2007-07-02
-- Background
The Disk Pool Manager (DPM) has been developed as a lightweight solution
for disk storage management. The DPM offers a modified version of the
Globus gridftp daemon for data access, among many other protocols.
-- Affected Software
LCG <= 2.7.x, gLite <= 3.0.x.
gLite 3.1.x is not affected.
-- Affected Components
All versions of the DPM-gridftp-server package are affected.
DPM servers running with VDT 1.6 or later are not affected, because they
are using a different gridftp implementation from Globus Toolkit 4,
interfaced to DPM via a plug-in interface. This comes with the package
'DPM-DSI', instead of the above mentioned 'DPM-gridftp-server'.
For gLite 3.x the affected meta-package are:
glite-SE_dpm_disk
glite-SE_dpm_mysql
glite-SE_dpm_oracle
Sites running LCG 2.x are asked to upgrade their DPM-gridftp-server to
gLite.
-- Vulnerability Details
The DPM gridftp server is handling the credentials of authenticated
users to manage permissions on the files. Unfortunately, it appears that
under some circumstances, the credentials are not correctly propagated.
As a result, it is possible for a malicious user who successfully
authenticated against the DPM gridftp service to manipulate any file
accessible by the service, including reading, writing, deleting and
changing the permissions of the affected files and directories.
-- Further documentation
This advisory is also available at the following URL:
http://glite.org/glite/packages/R3.0/updates.asp
-- Installation Notes
The following rpms have been made available;
DPM-gridftp-server-1.6.5-3sec.i386.rpm
It is possible to upgrade the 'DPM-gridftp-server' component only
(without upgrading the rest of the DPM components) from any version
including 1.6.0 to 1.6.5-2.
If the upgrade is not feasible, then we recommend stopping the DPM
gridftp service and contacting the developers for the possibility of a
custom upgrade path:
/sbin/service dpm-gsiftp stop
/sbin/chkconfig --del dpm-gsiftp
They are available in the appropriate repositories for each distribution.
http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
-- Credit
This vulnerability has been discovered by Kostas Georgiou.
-- Disclosure Timeline
2007-06-19 Vulnerability reported to the LFC/DPM developers
2007-06-19 Initial response from the LFC/DPM developers
2007-06-26 Updated packages ready for certification and testing
2007-07-02 OSCT notified of the vulnerability
2007-07-02 Updated packages certified
2007-07-02 Release preparation completed
2007-07-02 Updated LCG and gLite packages available
2007-07-02 Public disclosure
2007-07-02 Site Admins and LCG Security Contacts notified
-- References
The details of the vulnerability and the update can be found here:
http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
For more detailed information including fixed bugs, updated RPMs,
configuration changes and how to deploy, please go to the 'Details' link
next to each service on the 'Updates' web page.
All issues found with this update should be reported using GGUS:
www.ggus.org
_______________________________________________
Hepman-lcg mailing list
[log in to unmask]
http://lists.manchester.ac.uk/mailman/listinfo/hepman-lcg
--
Alessandra Forti
NorthGrid Technical Coordinator
University of Manchester
|