gLite 3.0
glite-LFC_oracle - Update to version 3.0.9-2
The updated DPM-FTP component (1.6.5-3):
Please also have a look at the list of known issues.
This update fixes various bugs. For the full list of bugs, please see list below.
glite-LFC_oracle - Update to version 3.0.9-2
Date | 02.07.07 |
---|---|
Priority | High |
Description
DPM-gridftp-server Incorrect credentials propagation -- High Priority
Operational Security Coordination Team Advisory
-- Date: 2007-07-02
-- Background
The Disk Pool Manager (DPM) has been developed as a lightweight
solution for disk storage management. The DPM offers a modified
version of the Globus gridftp daemon for data access, among many
other protocols.
-- Affected Software
LCG <= 2.7.x, gLite <= 3.0.x.
gLite 3.1.x is not affected.
-- Affected Components
All versions of the DPM-gridftp-server package are affected.
DPM servers running with VDT 1.6 or later are not affected, because
they are using a different gridftp implementation from Globus Toolkit 4,
interfaced to DPM via a plug-in interface. This comes with the package
'DPM-DSI', instead of the above mentioned 'DPM-gridftp-server'.
For gLite 3.x the affected meta-package are:
glite-SE_dpm_disk
glite-SE_dpm_mysql
glite-SE_dpm_oracle
Sites running LCG 2.x are asked to upgrade their DPM-gridftp-server to gLite.
-- Vulnerability Details
The DPM gridftp server is handling the credentials of authenticated users
to manage permissions on the files. Unfortunately, it appears that under
some circumstances, the credentials are not correctly propagated.
As a result, it is possible for a malicious user who successfully
authenticated against the DPM gridftp service to manipulate any file
accessible by the service, including reading, writing, deleting and
changing the permissions of the affected files and directories.
-- Further documentation
This advisory is also available at the following URL:
../../../../../../../glite-web/egee/packages/R3.0/updates.asp
-- Installation Notes
The following rpms have been made available;
DPM-gridftp-server-1.6.5-3sec.i386.rpm
It is possible to upgrade the 'DPM-gridftp-server' component only
(without upgrading the rest of the DPM components) from any version
including 1.6.0 to 1.6.5-2.
If the upgrade is not feasible, then we recommend stopping the DPM
gridftp service and contacting the developers for the possibility
of a custom upgrade path:
/sbin/service dpm-gsiftp stop
/sbin/chkconfig --del dpm-gsiftp
They are available in the appropriate repositories for each distribution.
../../../../../../../glite-web/egee/packages/R3.0/updates.asp
-- Credit
This vulnerability has been discovered by Kostas Georgiou.
-- Disclosure Timeline
2007-06-19 Vulnerability reported to the LFC/DPM developers
2007-06-19 Initial response from the LFC/DPM developers
2007-06-26 Updated packages ready for certification and testing
2007-07-02 OSCT notified of the vulnerability
2007-07-02 Updated packages certified
2007-07-02 Release preparation completed
2007-07-02 Updated LCG and gLite packages available
2007-07-02 Public disclosure
2007-07-02 Site Admins and LCG Security Contacts notified
-- References
The details of the vulnerability and the update can be found here:
../../../../../../../glite-web/egee/packages/R3.0/updates.asp
For more detailed information including fixed bugs, updated RPMs,
configuration changes and how to deploy, please go to the 'Details'
link next to each service on the 'Updates' web page.
All issues found with this update should be reported using GGUS:
www.ggus.org.
Further updates in Data Management
The updated DPM-FTP component (1.6.5-3):
- ftpd: propagate user credentials for cd requests (needed for uberftp) Replacing the DPM-client (build only) dependency by lcg-dm-common.
- Better logging of request and sub-request (file) errors
- Disabled automatic RPM dependencies to solve the x86_64 related problems
- Build fixes for Suse9, Centos4 and easing optional build of Oracle parts
Please also have a look at the list of known issues.
This update fixes various bugs. For the full list of bugs, please see list below.
Fixed bugs
Number | Description |
---|---|
#24493 | LFC Oracle script errors |
Updated rpms
Name | Version | Full RPM name | Description |
---|---|---|---|
glite-LFC_oracle | 3.0.9-2 | glite-LFC_oracle-3.0.9-2.noarch.rpm | gLite LFC Oracle node |
lcg-dm-common | 1.6.5-3sec.slc3 | lcg-dm-common-1.6.5-3sec.slc3.i386.rpm | LCG Data Management common libraries and man pages. |
LFC-client | 1.6.5-3sec.slc3 | LFC-client-1.6.5-3sec.slc3.i386.rpm | Client side libraries for the LFC |
LFC-interfaces | 1.6.5-3sec.slc3 | LFC-interfaces-1.6.5-3sec.slc3.i386.rpm | LCG File Catalog Interfaces |
LFC-server-oracle | 1.6.5-3sec.slc3 | LFC-server-oracle-1.6.5-3sec.slc3.i386.rpm | LFC Server for an Oracle database backend |
The RPMs can be updated using apt via
- via apt: apt-get dist-upgrade
- or via a download from:
http://glitesoft.cern.ch/EGEE/gLite/APT/R3.0/rhel30/RPMS.updates/
Service reconfiguration after update
Service must be reconfigured.
Service restart after update
Service must be restarted.
How to apply the fix
- Update the RPMs (see above)
- Update configuration (see above)
- Restart the service if necessary (see above)