Security Updates

gLite 3.2 Security Update 02 - 24/01/2012

Priority of the update: High

Affected Services

  • glite-APEL
  • glite-TORQUE_utils
  • glite-TORQUE_server
  • glite-TORQUE_client

Description

gLite security update 02 addresses two EGI security vulnerability advisories:

https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-504

https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-3094

For glite-APEL, it fixes a security bug and it doesn't introduce any other changes. For more information see: https://rt.egi.eu/rt/Ticket/Display.html?id=504

For glite-TORQUE, it addresses a torque/munge impersonation vulnerability. There is no new functionality, and there should be no backward incompatible interface changes in these packages.

Installation and Configuration

To update the services run:

yum update

glite-APEL: The service must be reconfigured with YAIM after updating/installation.

glite-TORQUE_server: The torque server (torque head node) and torque submitters (CEs) do not require a configuration change. Just updating the torque packages and restaring pbs_server should suffice. A minor issue with the pbs_server init.d script was resolved; the service should be automatically started after running YAIM, even if the service was stopped before.

glite-TORQUE_client: The torque client package (on worker nodes) now requires munge, where it didn't before, so a reconfiguration is required (it is required by edg-pbs-knownhosts, which calls pbsnodes). Make sure the MUNGE_KEY_FILE variable in site-info.def points to the shared munge key.

The packages can also be downloaded from the following URLs:

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.updates/glite-apel-publisher-2.0.13-8.sl5.noarch.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.updates/glite-TORQUE_client-3.2.9-1.x86_64.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.updates/glite-TORQUE_server-3.2.5-1.x86_64.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.updates/glite-TORQUE_utils-3.2.5-1.x86_64.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.externals/libtorque-2.5.7-7.el5.x86_64.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.externals/torque-2.5.7-7.el5.x86_64.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.externals/torque-client-2.5.7-7.el5.x86_64.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.externals/torque-mom-2.5.7-7.el5.x86_64.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.externals/torque-server-2.5.7-7.el5.x86_64.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.updates/glite-yaim-torque-client-4.1.0-2.sl5.noarch.rpm

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.updates/glite-yaim-torque-server-4.1.1-1.sl5.noarch.rpm

gLite 3.2 Security Update 01 - 15/11/2011

Priority of the update: High

Affected Services

  • glite-BDII_site
  • glite-BDII_top
  • glite-CLUSTER
  • glite-CREAM
  • glite-FTS_oracle
  • glite-LB
  • glite-LFC_mysql
  • glite-LFC_oracle
  • glite-SE_dcache_info
  • glite-SE_dpm_mysql
  • glite-VOBOX
  • glite-VOMS_mysql
  • glite-VOMS_oracle

Description

New YAIM post-configuration function for BDII to address the security issue described here https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-1414

The fix-bdii-conf rpm provides YAIM post-configuration functions fixing a few issues with the BDII configuration.

Installation and Configuration

Sites not using YAIM should have equivalent corrections added to their configuration management system. For Quattor please consult the Quattor WG for improved components.

Sites using YAIM should install the rpm on each affected gLite 3.2 node as follows:

yum install fix-bdii-conf

The rpm's post-install script then runs the functions automatically and the admin needs to do nothing else.

If the site has a fabric management system that disables such scripts, the admin can run the commands explicitly on the affected nodes. For a BDII_site or BDII_top:

bash /opt/glite/yaim/functions/post/config_bdii_5.1

For any other gLite 3.2 node type with a resource BDII:

bash /opt/glite/yaim/functions/post/config_bdii_only

The affected package can be also downloaded from here:

http://glitesoft.cern.ch/EGEE/gLite/R3.2/glite-GENERIC/sl5/x86_64/RPMS.release/fix-bdii-conf-1.1.0-1.noarch.rpm

Known Issues

When YAIM is subsequently run on an affected node, it may log the following error:

config_bdii_only_check_post: command not found

That error does not affect the configuration and can be ignored.