OAR 2.5.7

Release date: 2016-03-31

This version mainly brings a security fix for the oarsh command. It is highly recommended to upgrade (server, frontend(s) and nodes), since all previous versions of OAR are affected.

Thanks to Emmanuel Thomé, a vulnerability was discovered in OAR, which affects all previous versions of OAR. This vulnerability allows any user of a cluster managed by OAR to read parts of data which are not supposed to be readable by the user. This vulnerability might be exploited to gain root privileges on the cluster. It is in particular known to eventually allow one to disclose part of private ssh keys (CVE-2016-1235).

As usually, OAR 2.5.7 is distributed as RPM (OAR dedicated repository) or Debian (Debian official repository) packages.

Versions of packages are frozen in Debian stable distributions. Therefore, security update packages are also provided for Jessie (Debian 8): 2.5.4-2+deb8u1 and Wheezy (Debian 7): 2.5.2-3+deb7u1. Those packages fix the vulnerability.

However, for those stable distributions, we recommend using the backports package sources, in order to install OAR 2.5.7 and benefit from all the changed which the last versions bring, along with the security fix.

This version mainly brings a security fix for the oarsh command. It is highly recommanded to upgrade, since all previous versions of OAR are affected.

• [oarsh] fix a security hole when passing option to OpenSSH. See oar.conf to adapt settings to your setup, if required (OARSH_* variables)
• [oarsh] dropped the mechanism to select whether to use oarsh or fall back to ssh, given a list of hostname patterns
• [oarsub] fix the job-key information of the manual page
• [oarsub] handle cases where trailing spaces were breaking oarsub script directives
• [api] added an example of Apache configuration for the authentication
• [documentation] improve the SSH keys setup explanations for OAR installation