Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-2012-3390

From EGIWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2012-3390



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG ADVISORY [EGI-SVG-2012-3390] 

Title:       "Low" Risk: DPM Information Leak Vulnerability
  
Date:        2014-08-05
Updated:    

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-3390

Introduction
============

An information leak vulnerability has been found in DPM (Disk Pool Manager.) 

This has been resolved via a new version of the dpm-dsi library which is available 
in the EGI UMD.    



Details
=======

An information leak vulnerability has been found in DPM which may allow users
to access files including log files which they are not entitled to access.  

This has been resolved via a new version of the dpm-dsi library used by DPM which 
is  available in the EGI UMD. 

This version of this library which resolves this issue is also available in EPEL. 


Risk Category
=============

This issue has been assessed as "Low" risk by the EGI SVG Risk Assessment Team 


Affected Software
=================

DPM versions containing versions of the dpm-dsi library earlier than 
dpm-dsi-1.9.3 are affected.

This vulnerability has been fixed by version dpm-dsi-1.9.3 as available 
in the EGI UMD-3


Mitigation
==========

No mitigation is recommended. 


Component Installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).


Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/

http://repository.egi.eu/2014/07/24/dpm-dsi-1-9-3-3/


Please note that DPM is no longer maintained in the EMI repository.


DPM is now also available in EPEL

https://fedoraproject.org/wiki/EPEL



Recommendations
===============

Sites are recommended to update their software in due course.


Credit
======

This Vulnerability was reported by  Ulf Tigerstedt


Timeline  
========
Yyyy-mm-dd

2012-02-09 Vulnerability reported by Ulf Tigerstedt
2012-02-09 Acknowledgement from the EGI SVG to the reporter
2012-02-14 Software providers responded and involved in investigation
2012-02-20 Assessment by the EGI Software Vulnerability Group reported 
           to the software providers
2014-07-24 Updated packages available in the EGI UMD
2014-08-04 Checked that above version fixes this vulnerability. 
2014-08-05 Public disclosure

.
Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2012-3390&oldid=69106"