JISCMail - GRIDPP-STORAGE Archives

You will have seen this already, but please make sure that you upgrade 
if you haven't already.

Greig

-------- Original Message --------
Subject: [SECURITY]  gLite 3.0 SECURITY PATCH.   Priority: **URGENT**
Date: Thu, 19 Jul 2007 10:07:10 +0200
From: EGEE BROADCAST <[log in to unmask]>
To: [log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], 
[log in to unmask], [log in to unmask], [log in to unmask], 
        [log in to unmask], [log in to unmask], 
[log in to unmask], 
[log in to unmask], 
[log in to unmask]


------------------------------------------------------------------------------------

Publication from : Nick Thackray <[log in to unmask]> (CERN)

This mail has been sent using the broadcasting tool available at 
http://cic.gridops.org

------------------------------------------------------------------------------------

Dear Site Admins and Security Contacts,


An updated version of DPM-gridftp-server was released recently to 
address a security vulnerability. However,  additional circumstances 
where the vulnerability can be triggered have been discovered, hence a 
second update is needed to address the original issue.

Updated packages have been released and all affected sites are invited 
to upgrade immediately.

<<< NOTE:  THE UPDATED PACKAGES ARE AVAILABLE IMMEDIATELY FROM THE CERN 
REPOSITORIES >>>


EGEE Operational Security Coordination Team


********************************************************************************
http://www.gridpp.ac.uk/gsvg/advisories/advisory-27657.txt

Grid Security Vulnerability Group advisory

-- Date: 2007-07-18

-- Background


This is an update of Advisory-27657-2007-07-02.

The Disk Pool Manager (DPM) has  been developed as a lightweight solution
for disk  storage management. The  DPM offers  a modified version  of the
Globus gridftp daemon for data access.



-- Vulnerability Details

The DPM gridftp server is handling the credentials of authenticated users
to  manage   permissions  on   the   files.   Unfortunately,  under  some
circumstances   the  credentials  are   not  correctly propagated.  As  a
result,  it  is  possible  for   a   malicious   user  who   successfully
authenticated  against the  DPM gridftp  service to  manipulate any  file
accessible  by  the service,  including  reading,  writing, deleting  and
changing the permissions of the affected files and directories.

DPM-gridftp-server v1.6.5-3  has been  released recently to  address this
issue. However,  additional circumstances where the  vulnerability can be
triggered  have been  discovered,  hence  a second  update  is needed  to
address the original issue.


-- Component and Installation information.

Information on affected software, components and installation instructions
are available with the release notes at:

http://glite.org/glite/packages/R3.0/updates.asp

-- Patch location

The patch is located at

https://savannah.cern.ch/patch/index.php?1235


-- Credit

This vulnerability has been discovered by Kostas Georgiou.


-- Disclosure Timeline

2007-06-19 Vulnerability reported to the LFC/DPM developers
2007-06-19 Initial response from the LFC/DPM developers
2007-06-26 Updated packages ready for certification and testing
2007-07-02 OSCT notified of the vulnerability
2007-07-02 Updated packages certified
2007-07-02 Release preparation completed
2007-07-02 Updated LCG and gLite packages available
2007-07-02 Public disclosure
2007-07-02 Site Admins and LCG Security Contacts notified
2007-07-04 Further vulnerabilities have been reported to the GSVG
2007-07-04 Response from the LFC/DPM developers
2007-07-10 Throughout fixing cycle involving the reporter finished
2007-07-17 Updated packages ready for certification and testing
2007-07-19 OSCT notified of the vulnerability
2007-07-19 Updated packages certified
2007-07-19 Release preparation completed
2007-07-19 Updated LCG and gLite packages available
2007-07-19 Public disclosure
2007-07-19 Site Admins and LCG Security Contacts notified


-- References


The details of the vulnerability and the update can be found here:


http://glite.web.cern.ch/glite/packages/R3.0/updates.asp



For  more  detailed  information  including  fixed  bugs,  updated  RPMs,
configuration changes and how to deploy,  please go to the 'Details' link
next to each service on the 'Updates' web page.

All issues found with this update should be reported using GGUS:

www.ggus.org.