|
Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://theory.sinp.msu.ru/pipermail/ru-ngi/2014q2/001330.html
Дата изменения: Wed May 14 09:45:16 2014 Дата индексирования: Sun Apr 10 17:54:37 2016 Кодировка: |
-------- Original Message --------
Subject: [Noc-managers] EGI SVG Advisory 'High' RISK - DPM version in
EPEL [EGI-SVG-2014-6963]
Date: Mon, 12 May 2014 13:35:12 +0000
From: <linda.cornwall at stfc.ac.uk>
To: <site-security-contacts at mailman.egi.eu>,
<ngi-security-contacts at mailman.egi.eu>, <noc-managers at mailman.egi.eu>
CC: furano at cern.ch, oliver.keeble at cern.ch, David.Smith at cern.ch,
svg-rat at mailman.egi.eu, csirt at mailman.egi.eu
** AMBER information - Limited distribution
**
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution
restrictions **
EGI SVG ADVISORY [EGI-SVG-2014-6963]
Title: EGI SVG Advisory 'High' RISK - DPM version in EPEL
[EGI-SVG-2014-6963]
Date: 2014-05-12
Updated:
This will be placed on the wiki after 26th May 2014
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-6963
Introduction
============
A vulnerability has been introduced to one version of DPM released in EPEL.
This allows an unauthenticated user to access data, and to modify data.
This has now been fixed.
Details
=======
A vulnerability has been introduced by the developers and found by the
developers in a version of DPM released in EPEL.
This vulnerable version of DPM has only been made available in EPEL and
is only deployed on a small number of sites.
This vulnerability has been fixed in the version of DPM now available in
EPEL.
Information on DPM itself is available on the DPM Wiki [R 1]
Risk category
=============
This issue has been assessed as 'High' risk by the EGI SVG Risk
Assessment Team.
Affected software
=================
DPM version available in EPEL dmlite-libs-0.6.2-1 is affected.
Note that this is the **ONLY** vulnerable version.
This is fixed in dmlite-libs-0.6.2-2
Earlier versions of DPM are not affected.
The versions in the EGI UMD are not affected.
Mitigation
==========
N/A - any sites which have installed the vulnerable version should
update as soon as possible.
Component installation information
==================================
Sites installing from EPEL who have the vulnerable version should simply
update using
yum update
Followed by a restart of the DPM daemons (incl. httpd, xrootd and gridftp).
(or alternatively re-start the machine.)
More information in the installation and configuration of DPM is
available in
[R 2] and [R 3]
Recommendations
===============
Affected sites are recommended to update relevant components as soon as
possible.
Credit
======
This vulnerability was reported by David Smith of the DPM team.
References
==========
[R 1] Main DPM wiki: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm
[R 2] Installation: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/Install
[R 3] Configuration:
https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/ConfigurationIdx
Timeline
========
Yyyy-mm-dd
2014-05-02 Vulnerability reported by David Smith
2014-05-02 Acknowledgement from the EGI SVG to the reporter
2014-05-02 Software providers providing fix
2014-05-08 Assessment by the EGI Software Vulnerability Group at EGI SVG
monthly meeting
2014-05-08 Risk reported to the software providers
2014-05-08 Updated packages available in the EPEL repository
2014-05-12 Amber advisory sent to sites.
2014-??-?? Public disclosure
On behalf of the EGI SVG,
------------------------------------------------------------------
Dr Linda Cornwall,
Particle Physics Department,
STFC Rutherford Appleton Laboratory,
Harwell Oxford,
DIDCOT,
OX11 OQX,
United Kingdom
E-mail Linda.Cornwall at stfc.ac.uk
Tel. +44 (0) 1235 44 6138
Skype linda.ann.cornwall
--
Scanned by iCritical.
_______________________________________________
Noc-managers mailing list
Noc-managers at mailman.egi.eu
https://mailman.egi.eu/mailman/listinfo/noc-managers
--
A.Kryukov, PhD
Head of laboratory, SINP MSU
Phone: +7 495 939-3156