Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-2012-4670

From EGIWiki
Revision as of 16:14, 19 February 2013 by Cornwall (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2012-4670


** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG   ADVISORY [EGI-SVG-2012-4670] 

Title:       EGI SVG Advisory 'Moderate' Risk DPM buffer overflow in SRM v2.2 endpoint

Date:        2013-02-19

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-4670

Introduction
============

A buffer overflow vulnerability has found in DPM in SRM v2.2 endpoint 

A new version of DPM which resolves these vulnerabilities is now available in the in 
the EMI-1 and EMI-2 distributions.

This version is also available in EGI UMD-1 and EGI UMD-2. 

Details
=======

A buffer overflow vulnerability has been found in DPM in the SRM v2.2 endpoint


Risk category
=============

This issue has been assessed as "Moderate" risk by the EGI SVG Risk Assessment Team.  


Affected software
=================

DPM version 1.8.4 available both in the EMI 2 distribution and the EGI UMD 2 distribution. 

DPM version 1.8.2 available both in the EMI 1 distribution and the EGI UMD 1 distribution 

This vulnerability has been fixed in DPM 1.8.6 as available in EMI 1 Update 23 and EMI 2 Update 8.

The package has also been released in EGI UMD-1  
Release 1.10.0 http://repository.egi.eu/2013/02/19/release-umd-1-10-0/ 

and UMD-2 Release 2.4.0
http://repository.egi.eu/2013/02/18/release-umd-2-4-0/


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).

Sites using the EGI UMD should see:


http://repository.egi.eu/category/umd_releases/distribution/umd-2/

http://repository.egi.eu/category/umd_releases/distribution/umd_1/

Sites installing directly from EMI should see:

http://www.eu-emi.eu/emi-2-matterhorn/updates/

http://www.eu-emi.eu/emi-1-kebnekaise-updates/


Recommendations
===============

Sites are recommended to update relevant components.


Credit
======

This vulnerability was reported to SVG by Eygene Ryabinkin 



Timeline  
========
Yyyy-mm-dd

2012-11-19 Vulnerability reported by to SVG by Eygene Ryabinkin 
2012-11-19 Acknowledgement from the EGI SVG to the reporter
2012-11-21 Assessment by the EGI Software Vulnerability Group reported 
           to the software providers
2013-01-28 Updated packages available in the EMI distribution
2013-02-19 Updated packages available in the EGI UMD-1 and EGI UMD-2 
2013-02-19 Public disclosure