GSVG Advisories from 2007 and 2008
The GSVG produces advisory notices for Grid security vulnerabilities, and these are published below. Release notes should refer to advisories
| Notes on advisories | release notes for gLite 3.0 distribution |
| Notes on Risk | release notes for gLite 3.1 distribution |
| Date | Title | Advisory | Risk | Status |
|---|---|---|---|---|
| 01/12/08 | LCAS/LCMAPS vulnerability affecting Condor CE | advisory-35858.txt | High | Fixed |
| 26/11/08 | Possible DoS vulnerability of globus-job-manager nexus | advisory-26758.txt | Moderate | <Fixed | /TR>
| 24/11/08 | Configuration files should not be world readable | advisory-10884.txt | ** | Fixed |
| 01/09/08 | globus executables vulnerability | advisory-36901.txt | Moderate | Fixed |
| 28/08/08 | Denial of service for condor batch system | advisory-27482.txt | Low | Fixed |
| 21/08/08 | glite-wms-job-status does not use encryption | advisory-31911.txt | Low | Fixed |
| 21/08/08 | A CE in pull mode could pull job inappropriately | advisory-8975.txt | ** | Fixed |
| 18/08/08 | Possible DOS with Globus Gridmap processing | advisory-23818.txt | Low | Fixed |
| 18/08/08 | Vulnerability in the Torque MOM remote reconfiguration | advisory-29886.txt | High | Fixed |
| 18/08/08 | CRL with future validity does not cause validation problem | advisory-16967.txt | Low | Fixed |
| 08/08/08 | LFC buffer overflow vulnerabilities | advisory-34239.txt | Moderate | Fixed |
| 08/08/08 | gridftp allows access to system files | advisory-13779.txt | ** | Disclosed |
| 19/06/08 | When using Java/Tomcat users may be authenticated in the absense of a CRL | advisory-10307.txt | ** | Fixed |
| 10/06/08 | globus mapping on lcg-CE can lead to root access | advisory-37333.txt | High | Fixed |
| 10/04/08 | Credential checking for python API for gLite WMS | advisory-29468.txt | Moderate | Fixed |
| 10/04/08 | The use of different sets of pool accounts with an overlapping name space can lead to unwanted mappings | advisory-12171.txt | ** | Fixed |
| 02/04/08 | Denial of service due to absence of user limits | advisory-28751.txt | Low | Disclosed |
| 25/01/08 updated 18/08/08 | The trust in one VOMS server can be exploited for creation of the same FQANs issued by another VOMS server | advisory-10967.txt | ** | Disclosed |
| 10/01/08 | Incorrect File Permissions for VO software | advisory-31657.txt | High | Fixed |
| 10/01/08 | Users can use the fork jobmanager to block all pool accounts on a CE | advisory-27433.txt | Low | Fixed |
| 11/12/07 | User Processes can persist after the end of batch jobs | advisory-9054.txt | Moderate | Disclosed |
| 06/12/07 | VOMS Admin cross-site scripting (XSS) vulnerability | advisory-29334.txt | Moderate | Fixed |
| 30/11/07 | The Portable Batch System (PBS) has a DoS vulnerability | advisory-29551.txt | Low | Fixed |
| 28/11/07 | Migrate from VO LDAP server | advisory-9067.txt | ** | Obsolete |
| 18/10/07 | Migrate from classic SE | advisory-9071.txt | ** | Obsolete |
| 06/09/07 | fork job manager | advisory-9055.txt | ** | Disclosed |
| 22/08/07 | Creating or (re)placing directories without permission checks | advisory-28462.txt | High | Fixed |
| 20/08/07, updated 10/04/08 | Usage of long lived proxies | advisory-9059.txt | ** | Fixed |
| 16/08/07 | Blah paser exposes logs to the world | advisory-17088.txt | ** | Disclosed |
| 16/08/07 revised 09/02/09 | LCMAPS account recycling with a non-unique group mapping | advisory-9048.txt | ** | Disclosed |
| 13/08/07 | Possibility of exploit in torque/openpbs with moving jobs between servers | advisory-20980.txt | Low | Fixed |
| 13/08/07 updated 19/01/10 | DN information leak on the RB/WMS | advisory-18049.txt | Low | Obsolete |
| 13/08/07 updated 18/08/08 | EGEE packaged tomcat (5-.0.28-11_EGEE) information disclosure | advisory-18543.txt | Low | FIxed |
| 06/08/07 revised 18/10/07 | File systems allow user access to system files | advisory-20192.txt | Moderate | Disclosed |
| 06/08/07 | MySQL backdoor in R-GMA | advisory-8974.txt | Low | Disclosed |
| 06/08/07 | Java trustmanager does not consider CA signing policies | advisory-15363.txt | Low | Disclosed |
| 31/07/07 | sgm users may be able to steal each others proxy | advisory-12161.txt | Moderate | Disclosed |
| 31/07/07 | Unauthorized access to Maui scheduler | advisory-21665.txt | Moderate | Disclosed |
| 31/07/07, updated 27/11/2007 | EGEE Tomcat Privilege escalation | advisory-21428.txt | Moderate | Fixed |
| 19/07/07 | DPM gridftp service incorrect credential propogation | advisory-27657.txt | High | Fixed |
** issues which were originally handled before the start of EGEE-II and not re-assessed with the EGEE-II criteria.
Please note that prior to July 2007 advisories were published in the release notes, not on this web page.
| Status | Explanation |
|---|---|
| Fixed | Patches available/fully resolved |
| Disclosed | Disclosed due to reaching Target date |
| Obsolete | S/W no longer in use |
Last modified Tue 19 January 2010 . View page history
Switch to HTTPS . Website Help . Print View . Built with GridSite 1.4.3