 |
 |
On Mon, Nov 28, 2005 at 11:16:42PM +0000, Henry Nebrensky wrote: > On Mon, 28 Nov 2005, David McBride wrote: > > > EGEE BROADCAST wrote: > > > ------------------------------------------------------------------------------------ > > > Publication from : Oliver Keeble 9443 <[log in to unmask]> (CERN) > > > This mail has been sent using the broadcasting tool available at http://cic.in2p3.fr > > > ------------------------------------------------------------------------------------ > > > > > > A patch for the R-GMA Pong Servlet vulnerability is now > > > available. > > > > This doesn't appear to affect the other R-GMA security bugs? (ie > > it doesn't configure each site to run in authenticating mode?) > > Apparently not, which is a pity as the current chaos would provide the > ideal opportunity to force through this change LCG-wide. Henry, This was discussed today in the weekly meeting between the R-GMA team and SA1. Markus was of the opinion that coupling the two would cause delays and even more confusion because of the need to acquire host certificates. However it was also agreed to circulate instructions on making this step very soon after this pong servlet patch goes out - so you can expect to see an announcement *very* soon. Steve > Henry > > (and if this is an official LCG update, shouldn't the notification > be going to the csirts list that originally warned us all to stop > running R-GMA?) >