The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-2012-3390"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> This is a placeholder for Vulnerability issue 3390. The advisory has not been publicly released yet. </pre>") |
|||
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
This is a | ** WHITE information - Unlimited distribution allowed ** | ||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
EGI SVG ADVISORY [EGI-SVG-2012-3390] | |||
Title: "Low" Risk: DPM Information Leak Vulnerability | |||
Date: 2014-08-05 | |||
Updated: | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-3390 | |||
Introduction | |||
============ | |||
An information leak vulnerability has been found in DPM (Disk Pool Manager.) | |||
This has been resolved via a new version of the dpm-dsi library which is available | |||
in the EGI UMD. | |||
Details | |||
======= | |||
An information leak vulnerability has been found in DPM which may allow users | |||
to access files including log files which they are not entitled to access. | |||
This has been resolved via a new version of the dpm-dsi library used by DPM which | |||
is available in the EGI UMD. | |||
This version of this library which resolves this issue is also available in EPEL. | |||
Risk Category | |||
============= | |||
This issue has been assessed as "Low" risk by the EGI SVG Risk Assessment Team | |||
Affected Software | |||
================= | |||
DPM versions containing versions of the dpm-dsi library earlier than | |||
dpm-dsi-1.9.3 are affected. | |||
This vulnerability has been fixed by version dpm-dsi-1.9.3 as available | |||
in the EGI UMD-3 | |||
Mitigation | |||
========== | |||
No mitigation is recommended. | |||
Component Installation information | |||
================================== | |||
The official repository for the distribution of grid middleware for EGI sites is | |||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | |||
Sites using the EGI UMD 3 should see: | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-3/ | |||
http://repository.egi.eu/2014/07/24/dpm-dsi-1-9-3-3/ | |||
Please note that DPM is no longer maintained in the EMI repository. | |||
DPM is now also available in EPEL | |||
https://fedoraproject.org/wiki/EPEL | |||
Recommendations | |||
=============== | |||
Sites are recommended to update their software in due course. | |||
Credit | |||
====== | |||
This Vulnerability was reported by Ulf Tigerstedt | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2012-02-09 Vulnerability reported by Ulf Tigerstedt | |||
2012-02-09 Acknowledgement from the EGI SVG to the reporter | |||
2012-02-14 Software providers responded and involved in investigation | |||
2012-02-20 Assessment by the EGI Software Vulnerability Group reported | |||
to the software providers | |||
2014-07-24 Updated packages available in the EGI UMD | |||
2014-08-04 Checked that above version fixes this vulnerability. | |||
2014-08-05 Public disclosure | |||
. | |||
</pre> | </pre> | ||
Latest revision as of 14:47, 5 August 2014
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2012-3390
** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI SVG ADVISORY [EGI-SVG-2012-3390]
Title: "Low" Risk: DPM Information Leak Vulnerability
Date: 2014-08-05
Updated:
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-3390
Introduction
============
An information leak vulnerability has been found in DPM (Disk Pool Manager.)
This has been resolved via a new version of the dpm-dsi library which is available
in the EGI UMD.
Details
=======
An information leak vulnerability has been found in DPM which may allow users
to access files including log files which they are not entitled to access.
This has been resolved via a new version of the dpm-dsi library used by DPM which
is available in the EGI UMD.
This version of this library which resolves this issue is also available in EPEL.
Risk Category
=============
This issue has been assessed as "Low" risk by the EGI SVG Risk Assessment Team
Affected Software
=================
DPM versions containing versions of the dpm-dsi library earlier than
dpm-dsi-1.9.3 are affected.
This vulnerability has been fixed by version dpm-dsi-1.9.3 as available
in the EGI UMD-3
Mitigation
==========
No mitigation is recommended.
Component Installation information
==================================
The official repository for the distribution of grid middleware for EGI sites is
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
Sites using the EGI UMD 3 should see:
http://repository.egi.eu/category/umd_releases/distribution/umd-3/
http://repository.egi.eu/2014/07/24/dpm-dsi-1-9-3-3/
Please note that DPM is no longer maintained in the EMI repository.
DPM is now also available in EPEL
https://fedoraproject.org/wiki/EPEL
Recommendations
===============
Sites are recommended to update their software in due course.
Credit
======
This Vulnerability was reported by Ulf Tigerstedt
Timeline
========
Yyyy-mm-dd
2012-02-09 Vulnerability reported by Ulf Tigerstedt
2012-02-09 Acknowledgement from the EGI SVG to the reporter
2012-02-14 Software providers responded and involved in investigation
2012-02-20 Assessment by the EGI Software Vulnerability Group reported
to the software providers
2014-07-24 Updated packages available in the EGI UMD
2014-08-04 Checked that above version fixes this vulnerability.
2014-08-05 Public disclosure
.