Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

VDT security advisory 2008-06

Summary

Blank until sites have a chance to upgrade. Security risk: medium

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2008-06-09

Description

This description is being left blank until sites have a chance to upgrade.

Security risk: medium

The problem is due to an interaction between Condor's execute directory when it is named /home/condor/execute and certain other programs in the VDT.

Solution

If you do not have a /home/condor/execute directory on your system (on any computer where the VDT is installed, including computers that access the VDT through mounting a shared filesystem), then you do not need to apply any fix because there is no vulnerability.

If you have VDT 1.8.1n or later, or if you have VDT 1.10.1c or later, you do not need the fix. All earlier versions of the VDT are vulnerable: we are only providing fixes for VDT 1.8.1 and VDT 1.10.1. You can check the version of the VDT you are using with the vdt-version command.

If you do have a /home/condor/execute directory:

Option 1: Update the VDT

This can be done for VDT 1.8.1 (OSG 0.8) or VDT 1.10.1 (OSG 1.0) with the following commands:

> cd $VDT_LOCATION
> . setup.sh
> vdt-control --off

At this point, manually stop off running VDT programs 
that are not affected by vdt-control, such as running 
Globus job managers.

> pacman -update VDT-Common
> $VDT_LOCATION/vdt/rpath/vdt-remove-rpaths $VDT_LOCATION
> vdt-control --on

VDT 1.8.1n release notes and update instructions
VDT 1.10.1c release notes and update instructions

Option 2: Change Condor's execute directory

If you don't use Condor, remove the offending directory, /home/condor/execute. If you use Condor, you can tell Condor to use a different execute directory. Naming it anything else will be fine, perhaps /home/condor/EXECUTE.

Option 3: Upgrade to Condor 7.0.2 or later

Assuming you don't run Condor from a root-squashed NFS volume, upgrading Condor to 7.0.2 will also solve the problem. Condor 7.0.2 was released on 10-Jun-2008.

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.