Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

Globus Security Vulnerability

Summary

All versions of Globus before 4.0.3 contain vulnerabilities that affect proxies and temporary files.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2006-09-06

Description

VDT 1.3.9, 1.3.10, 1.3.11 and 1.4.0 have been updated to address the recently announced Globus security update. More information from Globus:
Temporary File Handling Vulnerability Announcement
Proxy Generation Tool Vulnerability Announcment
Bug ticket

The update corrects problems in temporary file handling. Some of these problems could allow a local malicious user to steal or replace your proxy certificate. We encourage you to take this update.

To apply the patch, you simply install an additional package that overlays the portions of Globus that have been updated. If you find any problems with the update, you can roll it back to before the update by uninstalling this package.

Do you need this update?

If you have installed Globus, you need this update. If you have not installed Globus, you do not.

If you have installed the "Condor" package to use as Condor-G, you've installed a subset of Globus that includes grid-proxy-init. You should install this update.

Many packages are similar and have installed a subset of Globus. If you have a "globus" subdirectory in your VDT installation, and you are unsure if you need it, go ahead and install the update.

Solution

To install this update, follow the directions for your version of the VDT:

VDT 1.3.9

pacman -allow save-setup
pacman -get
http://vdt.cs.wisc.edu/vdt_139_cache:Globus-Security-Update-1

VDT 1.3.10

pacman -allow save-setup
pacman -get
http://vdt.cs.wisc.edu/vdt_1310_cache:Globus-Security-Update-1

VDT 1.3.11

pacman -allow save-setup
pacman -get
http://vdt.cs.wisc.edu/vdt_1311_cache:Globus-Security-Update-1

VDT 1.4.0

pacman -allow save-setup
pacman -get
http://vdt.cs.wisc.edu/vdt_140_cache:Globus-Security-Update-1

For all releases

After you install, restart RLS and/or the Globus web services container if you are using them.

Removal

If you feel that you have encountered a problem with this security update, you can remove it with a single command, the same one for each version of the VDT:

pacman -remove Globus-Security-Update-1

Additional Notes

Although the package you install is named Globus-Security-Update-1, there are no other security updates at this time: for example, there is no Globus-Security-Update-2. We chose this name just in case there is a future update that needs to be installed.

VDT 1.3.9, 1.3.10 and 1.3.11 were chosen because these are the currently supported versions of the VDT in the Open Science Grid, when the advisory was released. VDT 1.4.0 is essentially VDT 1.3.11, so it is included as well.

You can tell if it's installed with a single Pacman command:
pacman -d 0 -l Globus-Security-Update-1
If it's not installed, Pacman will report that it cannot be found.

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.