EGI SVG Advisories

Advisory-SVG-2012-3390

** WHITE information - Unlimited distribution allowed                       **
** see https://go.egi.eu/tlp for distribution restrictions **

EGI SVG ADVISORY [EGI-SVG-2012-3390]

Title:       "Low" Risk: DPM Information Leak Vulnerability

Date:        2014-08-05
Updated:

URL:         https://advisories.egi.eu/2012/Advisory-SVG-2012-3390

Introduction
============

An information leak vulnerability has been found in DPM (Disk Pool Manager.)

This has been resolved via a new version of the dpm-dsi library which is
available in the EGI UMD.



Details
=======

An information leak vulnerability has been found in DPM which may allow users
to access files including log files which they are not entitled to access.

This has been resolved via a new version of the dpm-dsi library used by DPM
which is available in the EGI UMD.

This version of this library which resolves this issue is also available in
EPEL.


Risk Category
=============

This issue has been assessed as "Low" risk by the EGI SVG Risk Assessment Team


Affected Software
=================

DPM versions containing versions of the dpm-dsi library earlier than
dpm-dsi-1.9.3 are affected.

This vulnerability has been fixed by version dpm-dsi-1.9.3 as available
in the EGI UMD-3


Mitigation
==========

No mitigation is recommended.


Component Installation information
==================================

The official repository for the distribution of grid middleware for EGI sites
is repository.egi.eu which contains the EGI Unified Middleware Distribution
(UMD).


Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/

http://repository.egi.eu/2014/07/24/dpm-dsi-1-9-3-3/


Please note that DPM is no longer maintained in the EMI repository.


DPM is now also available in EPEL

https://fedoraproject.org/wiki/EPEL



Recommendations
===============

Sites are recommended to update their software in due course.


Credit
======

This Vulnerability was reported by  Ulf Tigerstedt


Timeline
========

Yyyy-mm-dd

2012-02-09 Vulnerability reported by Ulf Tigerstedt
2012-02-09 Acknowledgement from the EGI SVG to the reporter
2012-02-14 Software providers responded and involved in investigation
2012-02-20 Assessment by the EGI Software Vulnerability Group reported
           to the software providers
2014-07-24 Updated packages available in the EGI UMD
2014-08-04 Checked that above version fixes this vulnerability.
2014-08-05 Public disclosure