On Thu, Aug 23, 2007 at 02:25:40PM +0100, Greig Alan Cowan wrote:
> Hi all DPM sites,
>
> (apologies for cross posting)
>
> As some of you will have seen, another bug in the DPM gridftp server has
> been found and subsequently patched.
>
> All details of the update can be found here:
> http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
>
> The security advisory issued by the GSVG can be found here:
> http://www.gridpp.ac.uk/gsvg/advisories/advisory-28462.txt
>
> All DPM sites should use YAIM (or your method of choice) to upgrade to
> the latest version (DPM-gridftp-server-1.6.5-6) ASAP. Depending on how
> regularly you have been updating, there may also be new rpms available
> for other components of the DPM (all of these are on 1.6.5-5). Let me
> know if there are any problems.
People should probably also check that the master node and the pools
have not been "tainted" since the bug allowed any gridftp user to write
*anywhere* in the filesystem as root.
Cheers,
Kostas
|