A security team at UW-Madison is conducting an onging security audit of the Condor system and has identified a few important vulnerabilities. Condor versions 6.6.11 and 6.7.18 fix these security problems and other bugs. There have been no reported exploits, but all sites are urged to upgrade immediately.
The Condor Team will publish detailed reports of these vulnerabilities on 2006-04-24, 4 weeks from the date when the fixes were first released (2006-03-27). This will allow all sites time to upgrade before enough information to exploit these bugs is widely available.
Also from the release notes:
Bugs in previous versions of Condor could allow any user who can submit jobs on a machine to gain access to the
condoraccount (or whatever non-privileged user the Condor daemons are running as). This bug cannot be exploited remotely, only by users already logged onto a submit machine in the Condor pool.
The security of the
condor_ config_val -setfeature was found to be insufficient, so this feature is now disabled by default. There are new configuration settings to enable this feature in a secure manner. Please read the descriptions of ENABLE_RUNTIME_CONFIG , ENABLE_PERSISTENT_CONFIG and PERSISTENT_CONFIG_DIR in the example configuration file shipped with the latest Condor releases, or in section 3.3.4.
As of 4 April 2005, VDT 1.3.10b and the prerelease VDT 1.3.11 contain Condor 6.7.18.