You will have seen this already, but please make sure that you upgrade if you haven't already. Greig -------- Original Message -------- Subject: [SECURITY] gLite 3.0 SECURITY PATCH. Priority: **URGENT** Date: Thu, 19 Jul 2007 10:07:10 +0200 From: EGEE BROADCAST <[log in to unmask]> To: [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask], [log in to unmask] ------------------------------------------------------------------------------------ Publication from : Nick Thackray <[log in to unmask]> (CERN) This mail has been sent using the broadcasting tool available at http://cic.gridops.org ------------------------------------------------------------------------------------ Dear Site Admins and Security Contacts, An updated version of DPM-gridftp-server was released recently to address a security vulnerability. However, additional circumstances where the vulnerability can be triggered have been discovered, hence a second update is needed to address the original issue. Updated packages have been released and all affected sites are invited to upgrade immediately. <<< NOTE: THE UPDATED PACKAGES ARE AVAILABLE IMMEDIATELY FROM THE CERN REPOSITORIES >>> EGEE Operational Security Coordination Team ******************************************************************************** http://www.gridpp.ac.uk/gsvg/advisories/advisory-27657.txt Grid Security Vulnerability Group advisory -- Date: 2007-07-18 -- Background This is an update of Advisory-27657-2007-07-02. The Disk Pool Manager (DPM) has been developed as a lightweight solution for disk storage management. The DPM offers a modified version of the Globus gridftp daemon for data access. -- Vulnerability Details The DPM gridftp server is handling the credentials of authenticated users to manage permissions on the files. Unfortunately, under some circumstances the credentials are not correctly propagated. As a result, it is possible for a malicious user who successfully authenticated against the DPM gridftp service to manipulate any file accessible by the service, including reading, writing, deleting and changing the permissions of the affected files and directories. DPM-gridftp-server v1.6.5-3 has been released recently to address this issue. However, additional circumstances where the vulnerability can be triggered have been discovered, hence a second update is needed to address the original issue. -- Component and Installation information. Information on affected software, components and installation instructions are available with the release notes at: http://glite.org/glite/packages/R3.0/updates.asp -- Patch location The patch is located at https://savannah.cern.ch/patch/index.php?1235 -- Credit This vulnerability has been discovered by Kostas Georgiou. -- Disclosure Timeline 2007-06-19 Vulnerability reported to the LFC/DPM developers 2007-06-19 Initial response from the LFC/DPM developers 2007-06-26 Updated packages ready for certification and testing 2007-07-02 OSCT notified of the vulnerability 2007-07-02 Updated packages certified 2007-07-02 Release preparation completed 2007-07-02 Updated LCG and gLite packages available 2007-07-02 Public disclosure 2007-07-02 Site Admins and LCG Security Contacts notified 2007-07-04 Further vulnerabilities have been reported to the GSVG 2007-07-04 Response from the LFC/DPM developers 2007-07-10 Throughout fixing cycle involving the reporter finished 2007-07-17 Updated packages ready for certification and testing 2007-07-19 OSCT notified of the vulnerability 2007-07-19 Updated packages certified 2007-07-19 Release preparation completed 2007-07-19 Updated LCG and gLite packages available 2007-07-19 Public disclosure 2007-07-19 Site Admins and LCG Security Contacts notified -- References The details of the vulnerability and the update can be found here: http://glite.web.cern.ch/glite/packages/R3.0/updates.asp For more detailed information including fixed bugs, updated RPMs, configuration changes and how to deploy, please go to the 'Details' link next to each service on the 'Updates' web page. All issues found with this update should be reported using GGUS: www.ggus.org.