SVG:Advisory-SVG-2014-6963
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2014-6963
Title: EGI SVG Advisory 'High' RISK - DPM version in EPEL [EGI-SVG-2014-6963] Date: 2014-05-12 Updated: URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-6963 Introduction ============ A vulnerability has been introduced to one version of DPM released in EPEL. This allows an unauthenticated user to access data, and to modify data. This has now been fixed. Details ======= A vulnerability has been introduced by the developers and found by the developers in a version of DPM released in EPEL. This vulnerable version of DPM has only been made available in EPEL and is only deployed on a small number of sites. This vulnerability has been fixed in the version of DPM now available in EPEL. Information on DPM itself is available on the DPM Wiki [R 1] Risk category ============= This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team. Affected software ================= DPM version available in EPEL dmlite-libs-0.6.2-1 is affected. Note that this is the **ONLY** vulnerable version. This is fixed in dmlite-libs-0.6.2-2 Earlier versions of DPM are not affected. The versions in the EGI UMD are not affected. Mitigation ========== N/A - any sites which have installed the vulnerable version should update as soon as possible. Component installation information ================================== Sites installing from EPEL who have the vulnerable version should simply update using yum update Followed by a restart of the DPM daemons (incl. httpd, xrootd and gridftp). (or alternatively re-start the machine.) More information in the installation and configuration of DPM is available in [R 2] and [R 3] Recommendations =============== Affected sites are recommended to update relevant components as soon as possible. Credit ====== This vulnerability was reported by David Smith of the DPM team. References ========== [R 1] Main DPM wiki: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm [R 2] Installation: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/Install [R 3] Configuration: https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/ConfigurationIdx Timeline ======== Yyyy-mm-dd 2014-05-02 Vulnerability reported by David Smith 2014-05-02 Acknowledgement from the EGI SVG to the reporter 2014-05-02 Software providers providing fix 2014-05-08 Assessment by the EGI Software Vulnerability Group at EGI SVG monthly meeting 2014-05-08 Risk reported to the software providers 2014-05-08 Updated packages available in the EPEL repository 2014-05-12 Amber advisory sent to sites. 2014-06-02 Public disclosure