Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

VOMS Security Vulnerability

Summary

All versions of VOMS up through 1.6.16 (at least) contain a vulnerability that affects proxies and temporary files

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2006-09-12

Description

After Globus announced a security vulnerability in grid-proxy-init, the VOMS developers acknowledged that a similar problem existed in voms-proxy-init. VDT 1.3.9, 1.3.10, and 1.3.11 have been updated to address the vulnerability.

The update corrects problems in temporary file handling. Some of these problems could allow a local malicious user to steal or replace your proxy certificate. We encourage you to take this update.

To apply the patch, you simply install an additional package that overlays voms-proxy-init with the updated binary as appropriate for your version of the VDT:

VDT Path to voms-proxy-init
1.3.9 $VDT_LOCATION/voms/bin/edg-voms-proxy-init
1.3.10 $VDT_LOCATION/voms/bin/edg-voms-proxy-init
1.3.11 $VDT_LOCATION/glite/bin/voms-proxy-init

If you find any problems with the update, you can roll it back to before the update by removing the updater package.

Do you need this update?

If your installation includes voms-proxy-init (see the table above for the path for your VDT version), you need this update. Generally speaking, if you installed the VOMS-Client package or any package that includes it (e.g., VOMS, VDT, VDT-Client), you have voms-proxy-init and need this update.

Solution

To install the update, follow the directions for your version of the VDT:

VDT 1.3.9

  1. Change to your $VDT_LOCATION directory
  2. Tell pacman to preserve your setup.* files
    pacman -allow save-setup
  3. Install the update
    pacman -get http://vdt.cs.wisc.edu/vdt_139_cache:VOMS-Security-Update-1

VDT 1.3.10

  1. Change to your $VDT_LOCATION directory
  2. Tell pacman to preserve your setup.* files
    pacman -allow save-setup
  3. Install the update
    pacman -get http://vdt.cs.wisc.edu/vdt_1310_cache:VOMS-Security-Update-1

VDT 1.3.11

  1. Change to your $VDT_LOCATION directory
  2. Tell pacman to preserve your setup.* files
    pacman -allow save-setup
  3. Install the update
    pacman -get http://vdt.cs.wisc.edu/vdt_1311_cache:VOMS-Security-Update-1

Removal

If you feel that you have encountered a problem with the security update, you can remove it with a single command, the same one for each version of the VDT:

pacman -remove Globus-Security-Update-1

Additional Notes

Although the package you install is named VOMS-Security-Update-1, there are no other VOMS security updates at this time. For example, there is no VOMS-Security-Update-2. We chose this name just in case there is a future update that needs to be installed.

VDT 1.3.9, 1.3.10, and 1.3.11 were chosen because these are the currently supported versions of the VDT in the Open Science Grid.

You can tell if the update is installed using vdt-version:

vdt-version
If the update is installed, the output will contain a version entry for “VOMS Security Update”, in addition to the “VOMS” and (possible) “VOMS Admin” entries.

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.