Release Notes 3 4 2
These are the release notes for SRB 3.4.2, released Monday, June 26, 2006.
A security team at the University of Wisconsin-Madison (James Kupsch and Barton Miller), in collaboration with the SDSC SRB team, is conducting an ongoing security audit of the SRB system and has identified a few important vulnerabilities. There have been no reported exploits, but all sites are urged to upgrade as soon as possible. As vulnerabilities (in any software) become more widely known, the risks increase.
The three (related) vulnerabilities allow SRB users to read/write non-Vault files that are readable/writable by the the srbadmin user (unix user running the SRB) in the server system. The user can access all other files that the srb user can access. Any file, including scripts, logs, and configuration files, may be compromised. Additionally, other sensitive system files may be read, such as /etc/passwd, that may aid in other attacks. These vulnerabilities are somewhat mitigated because one has to be a registered SRB user.
Three small source changes (bug fixes) included in this release, close these holes. These fixes need to be applied to all SRB Servers, MCAT-enabled and non. Clients need not be updated except for some of the bugs below. These fixes can be applied to previous versions, if necessary.
- bug 229 GridFTP driver uses the wrong credential to connect to GridFtp server for some of the operations such as phymove which causes these operrations to fail.
- bug 230 Uploading a directory with a large number of subdirectories can fail because the server is not releasing the locked file descriptors.
- bug 231 Upload of files larger than 2 gBytes into GridFtp resources failed.
- bug 232 Uploading a very large file or a large number of files into a container can fail because of network connection timeout due to inavtivity between the server and the MCAT enabled server.
- Fix a core dump problem for HPSS type resources involving parallel I/O on Linux servers.
- Added a new option -o to show collection ownership in SgetColl.