SVG:Advisory-SVG-2012-4670
Jump to navigation
Jump to search
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2012-4670
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2012-4670] Title: EGI SVG Advisory 'Moderate' Risk DPM buffer overflow in SRM v2.2 endpoint Date: 2013-02-19 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-4670 Introduction ============ A buffer overflow vulnerability has found in DPM in SRM v2.2 endpoint A new version of DPM which resolves these vulnerabilities is now available in the in the EMI-1 and EMI-2 distributions. This version is also available in EGI UMD-1 and EGI UMD-2. Details ======= A buffer overflow vulnerability has been found in DPM in the SRM v2.2 endpoint Risk category ============= This issue has been assessed as "Moderate" risk by the EGI SVG Risk Assessment Team. Affected software ================= DPM version 1.8.4 available both in the EMI 2 distribution and the EGI UMD 2 distribution. DPM version 1.8.2 available both in the EMI 1 distribution and the EGI UMD 1 distribution This vulnerability has been fixed in DPM 1.8.6 as available in EMI 1 Update 23 and EMI 2 Update 8. The package has also been released in EGI UMD-1 Release 1.10.0 http://repository.egi.eu/2013/02/19/release-umd-1-10-0/ and UMD-2 Release 2.4.0 http://repository.egi.eu/2013/02/18/release-umd-2-4-0/ Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD should see: http://repository.egi.eu/category/umd_releases/distribution/umd-2/ http://repository.egi.eu/category/umd_releases/distribution/umd_1/ Sites installing directly from EMI should see: http://www.eu-emi.eu/emi-2-matterhorn/updates/ http://www.eu-emi.eu/emi-1-kebnekaise-updates/ Recommendations =============== Sites are recommended to update relevant components. Credit ====== This vulnerability was reported to SVG by Eygene Ryabinkin Timeline ======== Yyyy-mm-dd 2012-11-19 Vulnerability reported by to SVG by Eygene Ryabinkin 2012-11-19 Acknowledgement from the EGI SVG to the reporter 2012-11-21 Assessment by the EGI Software Vulnerability Group reported to the software providers 2013-01-28 Updated packages available in the EMI distribution 2013-02-19 Updated packages available in the EGI UMD-1 and EGI UMD-2 2013-02-19 Public disclosure