Difference between revisions of "SVG:Advisory-SVG-2012-3390"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> This is a placeholder for Vulnerability issue 3390. The advisory has not been publicly released yet. </pre>") |
|||
Line 3: | Line 3: | ||
<pre> | <pre> | ||
This is a | ** WHITE information - Unlimited distribution allowed ** | ||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
EGI SVG ADVISORY [EGI-SVG-2012-3390] | |||
Title: "Low" Risk: DPM Information Leak Vulnerability | |||
Date: 2014-08-05 | |||
Updated: | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-3390 | |||
Introduction | |||
============ | |||
An information leak vulnerability has been found in DPM (Disk Pool Manager.) | |||
This has been resolved via a new version of the dpm-dsi library which is available | |||
in the EGI UMD. | |||
Details | |||
======= | |||
An information leak vulnerability has been found in DPM which may allow users | |||
to access files including log files which they are not entitled to access. | |||
This has been resolved via a new version of the dpm-dsi library used by DPM which | |||
is available in the EGI UMD. | |||
This version of this library which resolves this issue is also available in EPEL. | |||
Risk Category | |||
============= | |||
This issue has been assessed as "Low" risk by the EGI SVG Risk Assessment Team | |||
Affected Software | |||
================= | |||
DPM versions containing versions of the dpm-dsi library earlier than | |||
dpm-dsi-1.9.3 are affected. | |||
This vulnerability has been fixed by version dpm-dsi-1.9.3 as available | |||
in the EGI UMD-3 | |||
Mitigation | |||
========== | |||
No mitigation is recommended. | |||
Component Installation information | |||
================================== | |||
The official repository for the distribution of grid middleware for EGI sites is | |||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | |||
Sites using the EGI UMD 3 should see: | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-3/ | |||
http://repository.egi.eu/2014/07/24/dpm-dsi-1-9-3-3/ | |||
Please note that DPM is no longer maintained in the EMI repository. | |||
DPM is now also available in EPEL | |||
https://fedoraproject.org/wiki/EPEL | |||
Recommendations | |||
=============== | |||
Sites are recommended to update their software in due course. | |||
Credit | |||
====== | |||
This Vulnerability was reported by Ulf Tigerstedt | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2012-02-09 Vulnerability reported by Ulf Tigerstedt | |||
2012-02-09 Acknowledgement from the EGI SVG to the reporter | |||
2012-02-14 Software providers responded and involved in investigation | |||
2012-02-20 Assessment by the EGI Software Vulnerability Group reported | |||
to the software providers | |||
2014-07-24 Updated packages available in the EGI UMD | |||
2014-08-04 Checked that above version fixes this vulnerability. | |||
2014-08-05 Public disclosure | |||
. | |||
</pre> | </pre> |
Latest revision as of 14:47, 5 August 2014
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2012-3390
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2012-3390] Title: "Low" Risk: DPM Information Leak Vulnerability Date: 2014-08-05 Updated: URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-3390 Introduction ============ An information leak vulnerability has been found in DPM (Disk Pool Manager.) This has been resolved via a new version of the dpm-dsi library which is available in the EGI UMD. Details ======= An information leak vulnerability has been found in DPM which may allow users to access files including log files which they are not entitled to access. This has been resolved via a new version of the dpm-dsi library used by DPM which is available in the EGI UMD. This version of this library which resolves this issue is also available in EPEL. Risk Category ============= This issue has been assessed as "Low" risk by the EGI SVG Risk Assessment Team Affected Software ================= DPM versions containing versions of the dpm-dsi library earlier than dpm-dsi-1.9.3 are affected. This vulnerability has been fixed by version dpm-dsi-1.9.3 as available in the EGI UMD-3 Mitigation ========== No mitigation is recommended. Component Installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ http://repository.egi.eu/2014/07/24/dpm-dsi-1-9-3-3/ Please note that DPM is no longer maintained in the EMI repository. DPM is now also available in EPEL https://fedoraproject.org/wiki/EPEL Recommendations =============== Sites are recommended to update their software in due course. Credit ====== This Vulnerability was reported by Ulf Tigerstedt Timeline ======== Yyyy-mm-dd 2012-02-09 Vulnerability reported by Ulf Tigerstedt 2012-02-09 Acknowledgement from the EGI SVG to the reporter 2012-02-14 Software providers responded and involved in investigation 2012-02-20 Assessment by the EGI Software Vulnerability Group reported to the software providers 2014-07-24 Updated packages available in the EGI UMD 2014-08-04 Checked that above version fixes this vulnerability. 2014-08-05 Public disclosure .