Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://theory.sinp.msu.ru/pipermail/ru-ngi/2014q2/001330.html
Дата изменения: Wed May 14 09:45:16 2014 Дата индексирования: Sun Apr 10 17:54:37 2016 Кодировка: |
-------- Original Message -------- Subject: [Noc-managers] EGI SVG Advisory 'High' RISK - DPM version in EPEL [EGI-SVG-2014-6963] Date: Mon, 12 May 2014 13:35:12 +0000 From: <linda.cornwall at stfc.ac.uk> To: <site-security-contacts at mailman.egi.eu>, <ngi-security-contacts at mailman.egi.eu>, <noc-managers at mailman.egi.eu> CC: furano at cern.ch, oliver.keeble at cern.ch, David.Smith at cern.ch, svg-rat at mailman.egi.eu, csirt at mailman.egi.eu ** AMBER information - Limited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2014-6963] Title: EGI SVG Advisory 'High' RISK - DPM version in EPEL [EGI-SVG-2014-6963] Date: 2014-05-12 Updated: This will be placed on the wiki after 26th May 2014 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-6963 Introduction ============ A vulnerability has been introduced to one version of DPM released in EPEL. This allows an unauthenticated user to access data, and to modify data. This has now been fixed. Details ======= A vulnerability has been introduced by the developers and found by the developers in a version of DPM released in EPEL. This vulnerable version of DPM has only been made available in EPEL and is only deployed on a small number of sites. This vulnerability has been fixed in the version of DPM now available in EPEL. Information on DPM itself is available on the DPM Wiki [R 1] Risk category ============= This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team. Affected software ================= DPM version available in EPEL dmlite-libs-0.6.2-1 is affected. Note that this is the **ONLY** vulnerable version. This is fixed in dmlite-libs-0.6.2-2 Earlier versions of DPM are not affected. The versions in the EGI UMD are not affected. Mitigation ========== N/A - any sites which have installed the vulnerable version should update as soon as possible. Component installation information ================================== Sites installing from EPEL who have the vulnerable version should simply update using yum update Followed by a restart of the DPM daemons (incl. httpd, xrootd and gridftp). (or alternatively re-start the machine.) More information in the installation and configuration of DPM is available in [R 2] and [R 3] Recommendations =============== Affected sites are recommended to update relevant components as soon as possible. Credit ====== This vulnerability was reported by David Smith of the DPM team. References ========== [R 1] Main DPM wiki: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm [R 2] Installation: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/Install [R 3] Configuration: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/ConfigurationIdx Timeline ======== Yyyy-mm-dd 2014-05-02 Vulnerability reported by David Smith 2014-05-02 Acknowledgement from the EGI SVG to the reporter 2014-05-02 Software providers providing fix 2014-05-08 Assessment by the EGI Software Vulnerability Group at EGI SVG monthly meeting 2014-05-08 Risk reported to the software providers 2014-05-08 Updated packages available in the EPEL repository 2014-05-12 Amber advisory sent to sites. 2014-??-?? Public disclosure On behalf of the EGI SVG, ------------------------------------------------------------------ Dr Linda Cornwall, Particle Physics Department, STFC Rutherford Appleton Laboratory, Harwell Oxford, DIDCOT, OX11 OQX, United Kingdom E-mail Linda.Cornwall at stfc.ac.uk Tel. +44 (0) 1235 44 6138 Skype linda.ann.cornwall -- Scanned by iCritical. _______________________________________________ Noc-managers mailing list Noc-managers at mailman.egi.eu https://mailman.egi.eu/mailman/listinfo/noc-managers -- A.Kryukov, PhD Head of laboratory, SINP MSU Phone: +7 495 939-3156