Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       "Low" Risk: DPM Information Leak Vulnerability
Date:        2014-08-05



An information leak vulnerability has been found in DPM (Disk Pool Manager.) 

This has been resolved via a new version of the dpm-dsi library which is available 
in the EGI UMD.    


An information leak vulnerability has been found in DPM which may allow users
to access files including log files which they are not entitled to access.  

This has been resolved via a new version of the dpm-dsi library used by DPM which 
is  available in the EGI UMD. 

This version of this library which resolves this issue is also available in EPEL. 

Risk Category

This issue has been assessed as "Low" risk by the EGI SVG Risk Assessment Team 

Affected Software

DPM versions containing versions of the dpm-dsi library earlier than 
dpm-dsi-1.9.3 are affected.

This vulnerability has been fixed by version dpm-dsi-1.9.3 as available 
in the EGI UMD-3


No mitigation is recommended. 

Component Installation information

The official repository for the distribution of grid middleware for EGI sites is which contains the EGI Unified Middleware Distribution (UMD).

Sites using the EGI UMD 3 should see:

Please note that DPM is no longer maintained in the EMI repository.

DPM is now also available in EPEL


Sites are recommended to update their software in due course.


This Vulnerability was reported by  Ulf Tigerstedt


2012-02-09 Vulnerability reported by Ulf Tigerstedt
2012-02-09 Acknowledgement from the EGI SVG to the reporter
2012-02-14 Software providers responded and involved in investigation
2012-02-20 Assessment by the EGI Software Vulnerability Group reported 
           to the software providers
2014-07-24 Updated packages available in the EGI UMD
2014-08-04 Checked that above version fixes this vulnerability. 
2014-08-05 Public disclosure