The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-2014-6963"
Jump to navigation
Jump to search
(Created page with " {{svg-header}} <pre> The advisory for this issue was sent to sites on 12th May 2014, and will placed here after 26th May 2014. </pre>") |
|||
| Line 1: | Line 1: | ||
{{svg-header}} | {{svg-header}} | ||
<pre> | <pre> | ||
Title: EGI SVG Advisory 'High' RISK - DPM version in EPEL [EGI-SVG-2014-6963] | |||
Date: 2014-05-12 | |||
Updated: | |||
This will be placed on the wiki after 26th May 2014 | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-6963 | |||
Introduction | |||
============ | |||
A vulnerability has been introduced to one version of DPM released in EPEL. | |||
This allows an unauthenticated user to access data, and to modify data. | |||
This has now been fixed. | |||
Details | |||
======= | |||
A vulnerability has been introduced by the developers and found by the developers | |||
in a version of DPM released in EPEL. | |||
This vulnerable version of DPM has only been made available in EPEL and is only | |||
deployed on a small number of sites. | |||
This vulnerability has been fixed in the version of DPM now available in EPEL. | |||
Information on DPM itself is available on the DPM Wiki [R 1] | |||
Risk category | |||
============= | |||
This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team. | |||
Affected software | |||
================= | |||
DPM version available in EPEL dmlite-libs-0.6.2-1 is affected. | |||
Note that this is the **ONLY** vulnerable version. | |||
This is fixed in dmlite-libs-0.6.2-2 | |||
Earlier versions of DPM are not affected. | |||
The versions in the EGI UMD are not affected. | |||
Mitigation | |||
========== | |||
N/A - any sites which have installed the vulnerable version should update as | |||
soon as possible. | |||
Component installation information | |||
================================== | |||
Sites installing from EPEL who have the vulnerable version should simply update using | |||
yum update | |||
Followed by a restart of the DPM daemons (incl. httpd, xrootd and gridftp). | |||
(or alternatively re-start the machine.) | |||
More information in the installation and configuration of DPM is available in [R 2] and [R 3] | |||
Recommendations | |||
=============== | |||
Affected sites are recommended to update relevant components as soon as possible. | |||
Credit | |||
====== | |||
This vulnerability was reported by David Smith of the DPM team. | |||
References | |||
========== | |||
[R 1] Main DPM wiki: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm | |||
[R 2] Installation: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/Install | |||
[R 3] Configuration: | |||
https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/ConfigurationIdx | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2014-05-02 Vulnerability reported by David Smith | |||
2014-05-02 Acknowledgement from the EGI SVG to the reporter | |||
2014-05-02 Software providers providing fix | |||
2014-05-08 Assessment by the EGI Software Vulnerability Group at EGI SVG monthly meeting | |||
2014-05-08 Risk reported to the software providers | |||
2014-05-08 Updated packages available in the EPEL repository | |||
2014-05-12 Amber advisory sent to sites. | |||
2014-06-02 Public disclosure | |||
</pre> | </pre> | ||
Revision as of 16:09, 2 June 2014
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2014-6963
Title: EGI SVG Advisory 'High' RISK - DPM version in EPEL [EGI-SVG-2014-6963] Date: 2014-05-12 Updated: This will be placed on the wiki after 26th May 2014 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-6963 Introduction ============ A vulnerability has been introduced to one version of DPM released in EPEL. This allows an unauthenticated user to access data, and to modify data. This has now been fixed. Details ======= A vulnerability has been introduced by the developers and found by the developers in a version of DPM released in EPEL. This vulnerable version of DPM has only been made available in EPEL and is only deployed on a small number of sites. This vulnerability has been fixed in the version of DPM now available in EPEL. Information on DPM itself is available on the DPM Wiki [R 1] Risk category ============= This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team. Affected software ================= DPM version available in EPEL dmlite-libs-0.6.2-1 is affected. Note that this is the **ONLY** vulnerable version. This is fixed in dmlite-libs-0.6.2-2 Earlier versions of DPM are not affected. The versions in the EGI UMD are not affected. Mitigation ========== N/A - any sites which have installed the vulnerable version should update as soon as possible. Component installation information ================================== Sites installing from EPEL who have the vulnerable version should simply update using yum update Followed by a restart of the DPM daemons (incl. httpd, xrootd and gridftp). (or alternatively re-start the machine.) More information in the installation and configuration of DPM is available in [R 2] and [R 3] Recommendations =============== Affected sites are recommended to update relevant components as soon as possible. Credit ====== This vulnerability was reported by David Smith of the DPM team. References ========== [R 1] Main DPM wiki: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm [R 2] Installation: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/Install [R 3] Configuration: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/ConfigurationIdx Timeline ======== Yyyy-mm-dd 2014-05-02 Vulnerability reported by David Smith 2014-05-02 Acknowledgement from the EGI SVG to the reporter 2014-05-02 Software providers providing fix 2014-05-08 Assessment by the EGI Software Vulnerability Group at EGI SVG monthly meeting 2014-05-08 Risk reported to the software providers 2014-05-08 Updated packages available in the EPEL repository 2014-05-12 Amber advisory sent to sites. 2014-06-02 Public disclosure