Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

VDT Security Advisories

DateAffected VersionsSummary and More Information
2009-07-28 All versions of dCache 1.8.x, and various versions of dCache 1.9.x. Some versions of dCache have a security vulnerability in the SRM subsystem.
2009-06-05 All versions of the VDT prior to VDT 2.0.0p2 and 1.10.1x. Glexec versions 0.5.35 and earlier have a vulernability that allows authorized users to become root.
2008-06-09 All versions of the VDT prior to VDT 1.10.1c and 1.8.1n. Blank until sites have a chance to upgrade. Security risk: medium
2007-08-24 VDT versions 1.6.1 through 1.8.0 VOMRS is vulnerable to cross-site scripting attacks
2007-05-31 srmwatch version X and ealier, as packaged with the VDT packaging of dCache. (The version number will be supplied soon, but anything distributed before May 30, 2007 is vulnerable.)

SRMWatch contains an SQL injection attack that can allow malicious users to steal private data including proxy certificates.

2007-05-21 VDT versions 1.6.1 and earlier

Globus contains a potential denial of service attack that can be caused by sending invalid data to a GRAM 2 (pre-web services) job manager.

2007-04-10 VDT versions 1.6.1 and earlier Older versions of GSI OpenSSH contain a problem that may allow attackers to both deny service and execute arbitrary code.
2007-03-22 All VDT releases with Tomcat 5 Tomcat contains a information leakage vulnerability and MySQL 5 an SQL injection attack
2006-09-12 All VDT releases prior to 1.3.12 All versions of VOMS up through 1.6.16 (at least) contain a vulnerability that affects proxies and temporary files
2006-09-06 All VDT releases prior to 1.5.0. All versions of Globus before 4.0.3 contain vulnerabilities that affect proxies and temporary files.
2006-04-04 All VDT releases prior to 1.3.10b and 1.3.11 Condor versions prior to 6.7.18 and 6.6.11 contain security vulnerabilities
2006-03-13 Potentially all versions of the VDT 1.3 series before 1.3.9b and 1.1.14. File and directory permissions allow trusted users to gain root access.
2004-12-16 1.2.2 and below A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges.
2004-07-26 1.1.14 and below Certain GRIS information providers can allow arbitrary code execution as the use running the GRIS daemon.
2004-07-13 1.1.13, 1.1.14 GSI OpenSSH server, in combination with certain system settings, can allow an authenticated user to become any user on the system.