Trace:
[[oar_2.5.7]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
oar_2.5.7 [2016/04/07 17:04] neyronoar_2.5.7 [2016/04/07 18:08] neyron
Line 6: Line 6:
  
 ===== Forword ===== ===== Forword =====
-Thanks to Emmanuel Thomé, a **vulnerability** was discovered in OARwhich affects all previous versions of OAR. This vulnerability allows any user of a cluster managed by OAR to read parts of data which are not supposed to be readable by the user. This vulnerability might be exploited to gain root privileges on the cluster. It is in particular known to eventually allow one to disclose part of private ssh keys (CVE-2016-1235).+This version mainly brings security fix for the oarsh command. It is 
 +**highly recommended to upgrade (server, frontend(s) and nodes)**, since all 
 +previous versions of OAR are affected.
  
-**OAR 2.5.7 fixes this vulnerability. Upgrading is highly recommended.**+Thanks to Emmanuel Thomé, a vulnerability was discovered in OAR, which 
 +affects all previous versions of OAR. This vulnerability allows any user 
 +of a cluster managed by OAR to read parts of data which are not supposed 
 +to be readable by the userThis vulnerability might be exploited to 
 +gain root privileges on the clusterIt is in particular known to 
 +eventually allow one to disclose part of private ssh keys (CVE-2016-1235).
  
-As usually, OAR 2.5.7 is distributed as RPM ([[download#rpms|(OAR dedicated repository]]) or Debian ([[download#debian|Debian official repository]]) packages.+As usually, OAR 2.5.7 is distributed as RPM ([[download#rpms|OAR dedicated repository]]) or Debian ([[download#debian|Debian official repository]]) packages.
  
 == Note for Debian stable and old stable == == Note for Debian stable and old stable ==
  
-Versions of packages are frozen in Debian stable distibutions. Therefore, security update packages are also provided for Jessie (Debian 8): //2.5.4-2+deb8u1// and Wheezy (Debian 7): //2.5.2-3+deb7u1//. Those packages fix the vulnerability+Versions of packages are frozen in Debian stable distributions. 
- +Therefore, security update packages are also provided for Jessie (Debian 
-Nevertheless, for those stable distributions, we recommend using the [[http://backports.debian.org|backports]] package sources, in order to benefit from all the changed which by the last versions brought, along with the security fix.+8): //2.5.4-2+deb8u1// and Wheezy (Debian 7): //2.5.2-3+deb7u1//. Those packages 
 +fix the vulnerability.
  
 +However, for those stable distributions, we recommend using the
 +[[http://backports.debian.org|backports]] package sources, in order to install OAR 2.5.7 and benefit from all the changed which the last versions bring, along with the security fix.
  
 ===== Changelog ===== ===== Changelog =====
oar_2.5.7.txt · Last modified: 2016/04/07 18:08 by neyron
Recent changes RSS feed GNU Free Documentation License 1.3 Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki