You will have seen this already, but please make sure that you upgrade
if you haven't already.
Greig
-------- Original Message --------
Subject: [SECURITY] gLite 3.0 SECURITY PATCH. Priority: **URGENT**
Date: Thu, 19 Jul 2007 10:07:10 +0200
From: EGEE BROADCAST <[log in to unmask]>
To: [log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask], [log in to unmask],
[log in to unmask], [log in to unmask],
[log in to unmask],
[log in to unmask],
[log in to unmask]
------------------------------------------------------------------------------------
Publication from : Nick Thackray <[log in to unmask]> (CERN)
This mail has been sent using the broadcasting tool available at
http://cic.gridops.org
------------------------------------------------------------------------------------
Dear Site Admins and Security Contacts,
An updated version of DPM-gridftp-server was released recently to
address a security vulnerability. However, additional circumstances
where the vulnerability can be triggered have been discovered, hence a
second update is needed to address the original issue.
Updated packages have been released and all affected sites are invited
to upgrade immediately.
<<< NOTE: THE UPDATED PACKAGES ARE AVAILABLE IMMEDIATELY FROM THE CERN
REPOSITORIES >>>
EGEE Operational Security Coordination Team
********************************************************************************
http://www.gridpp.ac.uk/gsvg/advisories/advisory-27657.txt
Grid Security Vulnerability Group advisory
-- Date: 2007-07-18
-- Background
This is an update of Advisory-27657-2007-07-02.
The Disk Pool Manager (DPM) has been developed as a lightweight solution
for disk storage management. The DPM offers a modified version of the
Globus gridftp daemon for data access.
-- Vulnerability Details
The DPM gridftp server is handling the credentials of authenticated users
to manage permissions on the files. Unfortunately, under some
circumstances the credentials are not correctly propagated. As a
result, it is possible for a malicious user who successfully
authenticated against the DPM gridftp service to manipulate any file
accessible by the service, including reading, writing, deleting and
changing the permissions of the affected files and directories.
DPM-gridftp-server v1.6.5-3 has been released recently to address this
issue. However, additional circumstances where the vulnerability can be
triggered have been discovered, hence a second update is needed to
address the original issue.
-- Component and Installation information.
Information on affected software, components and installation instructions
are available with the release notes at:
http://glite.org/glite/packages/R3.0/updates.asp
-- Patch location
The patch is located at
https://savannah.cern.ch/patch/index.php?1235
-- Credit
This vulnerability has been discovered by Kostas Georgiou.
-- Disclosure Timeline
2007-06-19 Vulnerability reported to the LFC/DPM developers
2007-06-19 Initial response from the LFC/DPM developers
2007-06-26 Updated packages ready for certification and testing
2007-07-02 OSCT notified of the vulnerability
2007-07-02 Updated packages certified
2007-07-02 Release preparation completed
2007-07-02 Updated LCG and gLite packages available
2007-07-02 Public disclosure
2007-07-02 Site Admins and LCG Security Contacts notified
2007-07-04 Further vulnerabilities have been reported to the GSVG
2007-07-04 Response from the LFC/DPM developers
2007-07-10 Throughout fixing cycle involving the reporter finished
2007-07-17 Updated packages ready for certification and testing
2007-07-19 OSCT notified of the vulnerability
2007-07-19 Updated packages certified
2007-07-19 Release preparation completed
2007-07-19 Updated LCG and gLite packages available
2007-07-19 Public disclosure
2007-07-19 Site Admins and LCG Security Contacts notified
-- References
The details of the vulnerability and the update can be found here:
http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
For more detailed information including fixed bugs, updated RPMs,
configuration changes and how to deploy, please go to the 'Details' link
next to each service on the 'Updates' web page.
All issues found with this update should be reported using GGUS:
www.ggus.org.
|