Документ взят из кэша поисковой машины. Адрес оригинального документа : http://theory.sinp.msu.ru/pipermail/ru-ngi/2015q3/001638.html
Дата изменения: Wed Sep 30 21:24:13 2015
Дата индексирования: Sun Apr 10 18:27:44 2016
Кодировка:
[RU-NGI] Fwd: [Noc-managers] **UPDATE*** EGI SVG Advisory 'High' RISK - Vulnerability in the dCache SRM server module [EGI-SVG-2015-9495]

[RU-NGI] Fwd: [Noc-managers] **UPDATE*** EGI SVG Advisory 'High' RISK - Vulnerability in the dCache SRM server module [EGI-SVG-2015-9495]

Alexander Kryukov kryukov at theory.sinp.msu.ru
Wed Sep 30 12:52:37 MSK 2015 



-------- Forwarded Message --------
Subject: [Noc-managers] **UPDATE*** EGI SVG Advisory 'High' RISK - 
Vulnerability in the dCache SRM server module [EGI-SVG-2015-9495]
Date: Wed, 30 Sep 2015 09:11:25 +0000
From: linda.cornwall at stfc.ac.uk
To: site-security-contacts at mailman.egi.eu, 
ngi-security-contacts at mailman.egi.eu, noc-managers at mailman.egi.eu
CC: tigran.mkrtchyan at desy.de, patrick.fuhrmann at desy.de, 
behrmann at ndgf.org, svg-rat at mailman.egi.eu, csirt at mailman.egi.eu


** AMBER information - Limited distribution 
     **

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution 
restrictions **

EGI SVG ADVISORY [EGI-SVG-2015-9495]

Title:       **UPDATE*** EGI SVG Advisory 'High' RISK - Vulnerability in 
the dCache SRM server module [EGI-SVG-2015-9495]

Date:        2015-09-22
Updated:     2015-09-30


This advisory will be placed on the wiki on or after 14th October 2015

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9495


Introduction
============

dCache [R 1] is a data storage and retrieval system.

A vulnerability has been found in the dCache SRM server module by the 
dCache team, who also alerted SVG to this problem.

A fixed binary version is available on the dCache site [R 2].

**UPDATE**

A fixed version is now available in the EGI UMD.



Details
=======

See the dCache page. [R 1]


Risk category
=============

This issue has been assessed as 'High' risk by the EGI SVG Risk 
Assessment Team.


Affected software
=================


All dCache versions prior to this patch are affected.

The releases which fix this issue are are:

2.13.9
2.12.21
2.11.32
2.10.41
2.6.52


It was noted by the dCache team that several site still run the 
unsupported 2.6 dCache.  Given these sites currently suffer from a High 
risk vulnerability, dCache  have made an additional release: 2.6.52


Mitigation
==========

N/A.


Component installation information
==================================


Updates are available on the dCache site [R 2]

Release notes are available at the dCache site.

https://www.dcache.org/downloads/1.9/release-notes-2.13.shtml
https://www.dcache.org/downloads/1.9/release-notes-2.12.shtml
https://www.dcache.org/downloads/1.9/release-notes-2.11.shtml
https://www.dcache.org/downloads/1.9/release-notes-2.10.shtml
https://www.dcache.org/downloads/1.9/unsupported/release-notes-2.6.shtml


The official repository for the distribution of grid middleware for EGI 
sites is repository.egi.eu which contains the EGI Unified Middleware 
Distribution (UMD).


Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/

**UPDATE**

UMD 3.13.4 has been released and contains the fix for this issue at:

http://repository.egi.eu/2015/09/29/release-umd-3-13-4/


Other Information
==================

To give sites time to upgrade their dCache, the dCache team will not 
release any details of the vulnerability at this time.  This includes 
not making  public the source-code for the fix for a 'grace period' of 
two weeks, as doing so would also reveal information on the vulnerability.

During this two week grace period, dCache will make no further releases.

Once the grace-period elapses, all code changes will be pushed into 
github and dCache will continue normal bug-fix release cycles.

**UPDATE**

A fixed version is now available in the EGI UMD


Recommendations
===============

Sites are recommended to update the SRM head node component as soon as 
possible if they have not done so already.


Credit
======

This vulnerability was discovered by Gerd Behrmann (NDGF) from the 
dCache team.


References
==========


[R 1] https://www.dcache.org/

[R 2] https://www.dcache.org/downloads/1.9/




Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so 
suggestions and comments are welcome.



Timeline
========
Yyyy-mm-dd

2015-09-15 Vulnerability discovered by Gerd Behrmann (NDGF) from the 
dCache team reported to SVG by Patrick Fuhrmann.
2015-09-15 Acknowledgement from the EGI SVG to the reporter
2015-09-18 Assessment by the EGI Software Vulnerability Group reported 
to the software providers.
2015-09-22 Updated packages available on the dCache site.
2015-09-29 Updated packages available in EGI UMD 3
2015-09-30 Updated advisory sent to sites


On behalf of the EGI SVG,


------------------------------------------------------------------
Dr Linda Cornwall,
Particle Physics Department,
STFC Rutherford Appleton Laboratory,
Harwell Oxford,
DIDCOT,
OX11 OQX,
United Kingdom

E-mail  Linda.Cornwall at stfc.ac.uk
Tel.    +44 (0) 1235 44 6138
Skype   linda.ann.cornwall

_______________________________________________
Noc-managers mailing list
Noc-managers at mailman.egi.eu
https://mailman.egi.eu/mailman/listinfo/noc-managers

-- 
A.Kryukov, PhD
Head of laboratory, SINP MSU
Phone: +7 495 939-3156

More information about the RU-NGI mailing list