Security Updates
gLite 3.2 Security Update 02 - 24/01/2012
Priority of the update: High
Affected Services
- glite-APEL
- glite-TORQUE_utils
- glite-TORQUE_server
- glite-TORQUE_client
Description
gLite security update 02 addresses two EGI security vulnerability advisories:
https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-504
https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-3094
For glite-APEL, it fixes a security bug and it doesn't introduce any other changes. For more information see: https://rt.egi.eu/rt/Ticket/Display.html?id=504
For glite-TORQUE, it addresses a torque/munge impersonation vulnerability. There is no new functionality, and there should be no backward incompatible interface changes in these packages.
Installation and Configuration
To update the services run:
yum update
glite-APEL: The service must be reconfigured with YAIM after updating/installation.
glite-TORQUE_server: The torque server (torque head node) and torque submitters (CEs) do not require a configuration change. Just updating the torque packages and restaring pbs_server should suffice. A minor issue with the pbs_server init.d script was resolved; the service should be automatically started after running YAIM, even if the service was stopped before.
glite-TORQUE_client: The torque client package (on worker nodes) now requires munge, where it didn't before, so a reconfiguration is required (it is required by edg-pbs-knownhosts, which calls pbsnodes). Make sure the MUNGE_KEY_FILE variable in site-info.def points to the shared munge key.The packages can also be downloaded from the following URLs:
gLite 3.2 Security Update 01 - 15/11/2011
Priority of the update: High
Affected Services
- glite-BDII_site
- glite-BDII_top
- glite-CLUSTER
- glite-CREAM
- glite-FTS_oracle
- glite-LB
- glite-LFC_mysql
- glite-LFC_oracle
- glite-SE_dcache_info
- glite-SE_dpm_mysql
- glite-VOBOX
- glite-VOMS_mysql
- glite-VOMS_oracle
Description
New YAIM post-configuration function for BDII to address the security issue described here https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-1414
The fix-bdii-conf rpm provides YAIM post-configuration functions fixing a few issues with the BDII configuration.
Installation and Configuration
Sites not using YAIM should have equivalent corrections added to their configuration management system. For Quattor please consult the Quattor WG for improved components.
Sites using YAIM should install the rpm on each affected gLite 3.2 node as follows:
yum install fix-bdii-conf
The rpm's post-install script then runs the functions automatically and the admin needs to do nothing else.
If the site has a fabric management system that disables such scripts, the admin can run the commands explicitly on the affected nodes. For a BDII_site or BDII_top:
bash /opt/glite/yaim/functions/post/config_bdii_5.1
For any other gLite 3.2 node type with a resource BDII:
bash /opt/glite/yaim/functions/post/config_bdii_only
The affected package can be also downloaded from here:
Known Issues
When YAIM is subsequently run on an affected node, it may log the following error:
config_bdii_only_check_post: command not found
That error does not affect the configuration and can be ignored.