EGI SVG Advisories

Advisory-SVG-2012-4670

** WHITE information - Unlimited distribution allowed                       **
** see https://go.egi.eu/tlp for distribution restrictions **

EGI SVG   ADVISORY [EGI-SVG-2012-4670]

Title: EGI SVG Advisory 'Moderate' Risk DPM buffer overflow in SRM v2.2
       endpoint

Date:  2013-02-19

URL:   https://advisories.egi.eu/2012/Advisory-SVG-2012-4670

Introduction
============

A buffer overflow vulnerability has found in DPM in SRM v2.2 endpoint

A new version of DPM which resolves these vulnerabilities is now available in
the in the EMI-1 and EMI-2 distributions.

This version is also available in EGI UMD-1 and EGI UMD-2.

Details
=======

A buffer overflow vulnerability has been found in DPM in the SRM v2.2 endpoint


Risk category
=============

This issue has been assessed as "Moderate" risk by the EGI SVG Risk Assessment
Team.


Affected software
=================

DPM version 1.8.4 available both in the EMI 2 distribution and the EGI UMD 2
distribution.

DPM version 1.8.2 available both in the EMI 1 distribution and the EGI UMD 1
distribution

This vulnerability has been fixed in DPM 1.8.6 as available in EMI 1 Update 23
and EMI 2 Update 8.

The package has also been released in EGI UMD-1
Release 1.10.0 http://repository.egi.eu/2013/02/19/release-umd-1-10-0/

and UMD-2 Release 2.4.0
http://repository.egi.eu/2013/02/18/release-umd-2-4-0/


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites
is repository.egi.eu which contains the EGI Unified Middleware Distribution
(UMD).

Sites using the EGI UMD should see:


http://repository.egi.eu/category/umd_releases/distribution/umd-2/

http://repository.egi.eu/category/umd_releases/distribution/umd_1/

Sites installing directly from EMI should see:

http://www.eu-emi.eu/emi-2-matterhorn/updates/

http://www.eu-emi.eu/emi-1-kebnekaise-updates/


Recommendations
===============

Sites are recommended to update relevant components.


Credit
======

This vulnerability was reported to SVG by Eygene Ryabinkin



Timeline
========

Yyyy-mm-dd

2012-11-19 Vulnerability reported by to SVG by Eygene Ryabinkin
2012-11-19 Acknowledgement from the EGI SVG to the reporter
2012-11-21 Assessment by the EGI Software Vulnerability Group reported
           to the software providers
2013-01-28 Updated packages available in the EMI distribution
2013-02-19 Updated packages available in the EGI UMD-1 and EGI UMD-2
2013-02-19 Public disclosure

This site is open source. Improve this page.