General Advisory Template

(Revised 7th January 2016)

E-mail title - as Title   

<add or delete sections as needed>

< Choose proper TLP color >

** WHITE information - Unlimited distribution allowed                       **  or
** GREEN information - Community wide distribution                          **  or
** AMBER information - Limited distribution                                 **  or
** RED information - Personal for Named Recipients Only                     **

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


< Fill in advisory number, title, date, and URL(if WHITE)>
< Title should include the RISK rating (e. g., CRITICAL, HIGH, ...)>
< If applicable, a CVE number or the like should be included >
< The title should be used as mail subject as well>


EGI SVG   ADVISORY [EGI-SVG-CVE-<year>-<number>]  if CVE available

EGI SVG   ADVISORY [EGI-SVG-<date of report>-<SW abbreviation>]  

Title:       EGI SVG Advisory <risk> RISK - <refer to any CVE number and include name of 
software  [EGI-SVG-CVE-<year>-<number>]  if CVE available or [EGI-SVG-<date of report>-<SW abbreviation>]  

Date:        <date  yyyy-mm-dd> <1st released>
Updated:     <date  yyyy-mm-dd>

<Put on Wiki for WHITE information only>
<For other - This advisory will be placed on the wiki on or after yyyy-mm-dd>


URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-<year>-<number>
URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<date of report>-<SW abbreviation>

Introduction
============

<Describe the reason for the issuing of this advisory - paragraph 3-5 sentences > 

< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> 

<this could include - e.g. updated as patch available> 

<include cve- number if one has been issued> 

<include EGI RT number for SVG/UMD issues>



Details
=======


<describe the problem, something about why it occurs, and the effect on sites>


<take care not to release anything useful to an attacker, unless it is already public, 
especially if you are sending it in WHITE>

<this should not be long>

<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> 


Risk category
=============

This issue has been assessed as Critical/High/Moderate/Low risk by the EGI SVG Risk 

Assessment Team 


Affected software
=================

<e.g. which version(s) of Linux are effected>

<e.g. which middleware component is effected within  gLite/ARC/Unicore/Globus/Other>


Mitigation
==========

<Describe mitigation to carry out - this may be to run a script>

< If possible, include either a script and/or include command lines>


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/

Sites who wish to install directly from the EMI release should see: 


http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/


OR

Please note that XXX is no longer maintained in the EMI repository.


XXX is now also available in EPEL

https://fedoraproject.org/wiki/EPEL



<e.g. patch not yet available>

<e.g. patch available from vendor for x system but not y>

<e.g. pointer to UMD release >


OR 

References to appropriate other software. 

OR 

List vendors who have already announced patches with references


Recommendations
===============

<as appropriate e.g.>

<Immediately apply the mitigation described above to all user-accessible systems.>

<Immediately apply vendor kernel updates when they become available.>

<Apply new version in EGI UMD>

<Sites are recommended to update relevant components.>


<(For critical) All running resources MUST be either patched or have mitigation
in place by yyyy-mm-dd  T21:00+01:00. 

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk 

site suspension. 

<7 calendar days - but if the date falls on a Friday or common public holiday, 
make it the first working day after people are expected back>


Credit
======

This vulnerability was reported by <if applicable - person who discovers vulnerability>

or

SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability>


References
==========

<Any references to the vulnerability> 
<refer to any public disclosure>
<e.g. Linux vendors info>
<any other info on the problem>

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu



Timeline  
========
Yyyy-mm-dd

2016-??-?? Vulnerability reported by <name1>  or SVG alerted to this issue by <name1>
2016-??-?? Acknowledgement from the EGI SVG to the reporter
2016-??-?? (if appropriate) Software providers responded and involved in investigation
2016-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) 
2016-??-?? EGI SVG Risk Assessment completed
2016-??-?? (if appropriate)Risk Reported to the Software Providers
2016-??-?? Updated packages available <in the EGI UMD/other location> 
2016-??-?? Advisory/Alert sent to sites
2016-??-?? Public disclosure


On behalf of the EGI SVG,

| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |

| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |