VDT 1.3.9, 1.3.10, 1.3.11 and 1.4.0 have been updated to address the
recently announced Globus security update. More information from Globus:
Temporary File Handling Vulnerability Announcement
Proxy Generation Tool Vulnerability Announcment
The update corrects problems in temporary file handling. Some of these problems could allow a local malicious user to steal or replace your proxy certificate. We encourage you to take this update.
To apply the patch, you simply install an additional package that overlays the portions of Globus that have been updated. If you find any problems with the update, you can roll it back to before the update by uninstalling this package.
If you have installed Globus, you need this update. If you have not installed Globus, you do not.
If you have installed the "Condor" package to use as Condor-G, you've installed a subset of Globus that includes grid-proxy-init. You should install this update.
Many packages are similar and have installed a subset of Globus. If you have a "globus" subdirectory in your VDT installation, and you are unsure if you need it, go ahead and install the update.
To install this update, follow the directions for your version of the VDT:
pacman -allow save-setup pacman -get http://vdt.cs.wisc.edu/vdt_139_cache:Globus-Security-Update-1
pacman -allow save-setup pacman -get http://vdt.cs.wisc.edu/vdt_1310_cache:Globus-Security-Update-1
pacman -allow save-setup pacman -get http://vdt.cs.wisc.edu/vdt_1311_cache:Globus-Security-Update-1
pacman -allow save-setup pacman -get http://vdt.cs.wisc.edu/vdt_140_cache:Globus-Security-Update-1
After you install, restart RLS and/or the Globus web services container if you are using them.
If you feel that you have encountered a problem with this security update, you can remove it with a single command, the same one for each version of the VDT:
pacman -remove Globus-Security-Update-1
Although the package you install is named Globus-Security-Update-1, there are no other security updates at this time: for example, there is no Globus-Security-Update-2. We chose this name just in case there is a future update that needs to be installed.
VDT 1.3.9, 1.3.10 and 1.3.11 were chosen because these are the currently supported versions of the VDT in the Open Science Grid, when the advisory was released. VDT 1.4.0 is essentially VDT 1.3.11, so it is included as well.You can tell if it's installed with a single Pacman command:
pacman -d 0 -l Globus-Security-Update-1If it's not installed, Pacman will report that it cannot be found.