Description

glite-AMGA_oracle, glite-AMGA_postgres, glite-BDII, glite-CONDOR_utils, glite-CREAM, glite-FTA_oracle, glite-FTM, glite-FTS_oracle, glite-HYDRA_mysql, glite-LB, glite-LFC_mysql, glite-LFC_oracle, glite-LSF_utils, glite-MON, glite-MPI_utils, glite-PX, glite-SCAS, glite-SE_dcache_admin_gdbm, glite-SE_dcache_admin_postgres, glite-SE_dcache_info, glite-SE_dcache_pool, glite-SE_dpm_disk, glite-SE_dpm_mysql, glite-SGE_utils, glite-TORQUE_client, glite-TORQUE_server, glite-TORQUE_utils, glite-UI, glite-VOBOX, glite-VOMS_mysql, glite-VOMS_oracle, glite-WMS, glite-WN, lcg-CE

The LB patch introduces a new version of glite-version.

glite-SCAS

New version of glite-security-scas

This is a drop-in replacement for glite-security-scas-0.2.6-1 fixing bug #52648, which prevents user banning for the SCAS server. And the stability of the service has been improved significantly when probed by network analysis tools.

• Solved segmentation faults when a malformed proxy was provided by the calling library or application.
• When using the lcas_pem interface (used by gLExec, SCAS and third parties) a wrong individual certificate was selected. It was first delegation that was selected and not the final delegation of the certificate chain.
• The extraction of the user's subject DN has been replaced. The Globus code calculates the RDN count of the individual certificate and strips of the amount of RDNs equal to the amount of delegations. This process is error prone, causes segmentation.faults when used in a wrong way, overly complex. It's replaced by a safer approach which has been used in LCMAPS for years.

The saml2-xacml2-c-lib code implements both the socket setup, socket handling and the protocol handling (HTTP, SOAP, SAML2, XACML2). It usually also does the TCP/IP, but by using callbacks in the library this is extended to implement TCP/IP with SSL. The saml2-xacml2-c-lib setups up the master socket in the default blocking mode. This means that the multi-threaded nature of the service boils down to the semaphore on the blocking socket. This will change in a non-blocking socket with many worker process in the next release.

Fix the following situations in SCAS:

• Failures in the TCP/IP are handled better
• 500ms wait time between a successful TCP/IP connection (meaning fully setup and functional) and the initiation of the SSL handshake initiation.
• nmap -sV $hostname is fuzzing with the SSL to identify the service. This causes a crash, because the callbacks made a proper cleanup of the client connection at the service, but the saml2-xacml2-c-lib also seems to want to perform the close(2) on the socket in the error handling deep in SOAP layers.
• The previous situation also occurs when a proxy of the pilot job framework executor (WN scenario) or the certificate of the Grid service is blacklisted in SSL+LCAS. (note: This is another LCAS call that authorizes the pilot job (real) users).
• The SCAS log lines are prefixed with the time that an event has taken place. The time stamp is set per thread, so a complete thread handling will all share the timecode. This will ease the automated search ability.

Platform detailed dependency:

For Glite 3.1:

• sl4 32 bit: depends on saml2-xacml2-c-lib 0.0.14_2 (providing the drop-in replacement for Production)
• sl4 64 bit: depends on saml2-xacml2-c-lib 0.0.15_2

For Glite 3.2:

• sl5 64 bit: depends on saml2-xacml2-c-lib 0.0.15_2

Fixed bugs

Updated rpms

The RPMs can be updated using yum via

• via apt: yum update
• or via a download from:
  
  http://glitesoft.cern.ch/EGEE/gLite/R3.1/glite-SCAS/sl4/i386/RPMS.updates/

Service reconfiguration after update

Not needed.

Service restart after update

Service must be restarted.

How to apply the fix

1. Update the RPMs (see above)
2. Update configuration (see above)
3. Restart the service if necessary (see above)