 |
 |
Jeremy, I think some sites are busy with experimental work at the moment. Once this is finished they intend to upgrade. I've yet to hear anything from Sheffield on this matter, so it would be good if Alessandra could get in touch with them and ask them what their plans are for upgrade. Greig Coles, J (Jeremy) wrote: > Hi > > Are there any sites NOT considering to upgrade to 1.6.X? It would > certainly be better to deal with this upgrade before the holiday season > starts so that you have a clear run at SL4 WNs afterwards! > > Jeremy > >> -----Original Message----- >> From: Greig Alan Cowan [mailto:[log in to unmask]] >> Sent: 03 July 2007 08:38 >> To: gridpp storage >> Cc: GridPP Dteam >> Subject: Re: [Fwd: [HEPMAN-LCG] gLite 3.0 SECURITY PATCH. Priority: >> **URGENT**] >> >> The DPM developers have replied and have stated that they do not > advise >> running the 1.6.5-3 gridftp server while not upgrading the remaining >> components of the DPM from 1.5.10. Their advice for sites running > 1.5.10 >> is to upgrade the entire DPM install to the production release. >> >> That being said, they are currently preparing an rpm for the 1.5.10 >> griftp server that contains the security fix. This will allow sites to >> quickly deploy the fix if they don't have enough time to upgrade the >> entire DPM. >> >> Site should be aware that they will still need to completely upgrade >> their DPM to 1.6.X if they haven't already done so. 1.6.X gives the >> SRM2.2 endpoint that will soon be essential for participating in WLCG. >> >> Greig >> >> Greig Alan Cowan wrote: >>> All sites running v1.6.X of DPM should upgrade as soon as possible. > Only >>> the gridftp server has to be upgraded. >>> >>> For sites on v1.5.10 it *might* be possible to run the upgraded > gridftp >>> server with the remaining components on 1.5.10. This will allow the >>> security patch to be deployed quickly while postponing the need for > a >>> complete upgrade to 1.6.X (which has some complications if you are > still >>> on 1.5.10). I am currently investigating this possibility. >>> >>> Cheers, >>> Greig >>> >>> >>> Alessandra Forti wrote: >>>> TO ALL DPM SITES. >>>> >>>> -------- Original Message -------- >>>> Subject: [HEPMAN-LCG] gLite 3.0 SECURITY PATCH. Priority: > **URGENT** >>>> Date: Mon, 2 Jul 2007 18:05:26 +0200 >>>> From: EGEE BROADCAST <[log in to unmask]> >>>> To: [log in to unmask], [log in to unmask], >>>> >>>> >>>> > ----------------------------------------------------------------------- >> ------------- >>>> >>>> Publication from : Nick Thackray <[log in to unmask]> (CERN) >>>> >>>> This mail has been sent using the broadcasting tool available at >>>> http://cic.gridops.org >>>> >>>> > ----------------------------------------------------------------------- >> ------------- >>>> >>>> Dear Site Admins and Security Contacts, >>>> >>>> >>>> DPM-gridftp-server is currently affected by a security flaw. >>>> Updated packages have been released and all affected sites are > invited >>>> to upgrade immediately. >>>> >>>> <<< NOTE: THE UPDATED PACKAGES WILL BE AVAILABLE FROM 18:45 SWISS >>>> LOCAL TIME [16:45 UTC] TODAY (2 July) >>> >>>> >>>> >>>> Romain Wartel >>>> EGEE Operational Security Coordination >>>> >>>> >>>> >>>> >>>> ************************************************ >>>> *** ADVISORY NOTES *** >>>> ************************************************ >>>> >>>> DPM-gridftp-server Incorrect credentials propagation >>>> >>>> Operational Security Coordination Team Advisory >>>> >>>> -- Date: 2007-07-02 >>>> >>>> -- Background >>>> >>>> The Disk Pool Manager (DPM) has been developed as a lightweight >>>> solution for disk storage management. The DPM offers a modified >>>> version of the Globus gridftp daemon for data access, among many > other >>>> protocols. >>>> >>>> -- Affected Software >>>> LCG <= 2.7.x, gLite <= 3.0.x. >>>> >>>> gLite 3.1.x is not affected. >>>> >>>> -- Affected Components >>>> All versions of the DPM-gridftp-server package are affected. >>>> >>>> DPM servers running with VDT 1.6 or later are not affected, because >>>> they are using a different gridftp implementation from Globus > Toolkit >>>> 4, interfaced to DPM via a plug-in interface. This comes with the >>>> package 'DPM-DSI', instead of the above mentioned > 'DPM-gridftp-server'. >>>> For gLite 3.x the affected meta-package are: >>>> >>>> glite-SE_dpm_disk >>>> glite-SE_dpm_mysql >>>> glite-SE_dpm_oracle >>>> >>>> Sites running LCG 2.x are asked to upgrade their DPM-gridftp-server > to >>>> gLite. >>>> >>>> -- Vulnerability Details >>>> >>>> The DPM gridftp server is handling the credentials of authenticated >>>> users to manage permissions on the files. Unfortunately, it appears >>>> that under some circumstances, the credentials are not correctly >>>> propagated. >>>> >>>> As a result, it is possible for a malicious user who successfully >>>> authenticated against the DPM gridftp service to manipulate any > file >>>> accessible by the service, including reading, writing, deleting and >>>> changing the permissions of the affected files and directories. >>>> >>>> -- Further documentation >>>> This advisory is also available at the following URL: >>>> >>>> http://glite.org/glite/packages/R3.0/updates.asp >>>> >>>> -- Installation Notes >>>> The following rpms have been made available; >>>> >>>> DPM-gridftp-server-1.6.5-3sec.i386.rpm >>>> >>>> It is possible to upgrade the 'DPM-gridftp-server' component only >>>> (without upgrading the rest of the DPM components) from any version >>>> including 1.6.0 to 1.6.5-2. >>>> >>>> If the upgrade is not feasible, then we recommend stopping the DPM >>>> gridftp service and contacting the developers for the possibility > of a >>>> custom upgrade path: >>>> >>>> /sbin/service dpm-gsiftp stop >>>> /sbin/chkconfig --del dpm-gsiftp >>>> >>>> They are available in the appropriate repositories for each >> distribution. >>>> http://glite.web.cern.ch/glite/packages/R3.0/updates.asp >>>> >>>> -- Credit >>>> This vulnerability has been discovered by Kostas Georgiou. >>>> >>>> -- Disclosure Timeline >>>> 2007-06-19 Vulnerability reported to the LFC/DPM developers >>>> 2007-06-19 Initial response from the LFC/DPM developers >>>> 2007-06-26 Updated packages ready for certification and testing >>>> 2007-07-02 OSCT notified of the vulnerability >>>> 2007-07-02 Updated packages certified >>>> 2007-07-02 Release preparation completed >>>> 2007-07-02 Updated LCG and gLite packages available >>>> 2007-07-02 Public disclosure >>>> 2007-07-02 Site Admins and LCG Security Contacts notified >>>> >>>> -- References >>>> >>>> The details of the vulnerability and the update can be found here: >>>> >>>> http://glite.web.cern.ch/glite/packages/R3.0/updates.asp >>>> >>>> For more detailed information including fixed bugs, updated RPMs, >>>> configuration changes and how to deploy, please go to the 'Details' >>>> link next to each service on the 'Updates' web page. >>>> >>>> All issues found with this update should be reported using GGUS: >>>> www.ggus.org >>>> >>>> >>>> _______________________________________________ >>>> Hepman-lcg mailing list >>>> [log in to unmask] >>>> http://lists.manchester.ac.uk/mailman/listinfo/hepman-lcg >>>>