Back to OAR versions
Release date: 2016-03-31
This version mainly brings a security fix for the oarsh command. It is highly recommended to upgrade (server, frontend(s) and nodes), since all previous versions of OAR are affected.
Thanks to Emmanuel Thomé, a vulnerability was discovered in OAR, which affects all previous versions of OAR. This vulnerability allows any user of a cluster managed by OAR to read parts of data which are not supposed to be readable by the user. This vulnerability might be exploited to gain root privileges on the cluster. It is in particular known to eventually allow one to disclose part of private ssh keys (CVE-2016-1235).
Versions of packages are frozen in Debian stable distributions. Therefore, security update packages are also provided for Jessie (Debian 8): 2.5.4-2+deb8u1 and Wheezy (Debian 7): 2.5.2-3+deb7u1. Those packages fix the vulnerability.
However, for those stable distributions, we recommend using the backports package sources, in order to install OAR 2.5.7 and benefit from all the changed which the last versions bring, along with the security fix.
This version mainly brings a security fix for the oarsh command. It is highly recommanded to upgrade, since all previous versions of OAR are affected.