Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
oar_2.5.7 [2016/04/07 17:04] neyronoar_2.5.7 [2016/04/07 18:08] (current) – [Changelog] neyron
Line 6: Line 6:
  
 ===== Forword ===== ===== Forword =====
-Thanks to Emmanuel Thomé, a **vulnerability** was discovered in OARwhich affects all previous versions of OAR. This vulnerability allows any user of a cluster managed by OAR to read parts of data which are not supposed to be readable by the user. This vulnerability might be exploited to gain root privileges on the cluster. It is in particular known to eventually allow one to disclose part of private ssh keys (CVE-2016-1235).+This version mainly brings security fix for the oarsh command. It is 
 +**highly recommended to upgrade (server, frontend(s) and nodes)**, since all 
 +previous versions of OAR are affected.
  
-**OAR 2.5.7 fixes this vulnerability. Upgrading is highly recommended.**+Thanks to Emmanuel Thomé, a vulnerability was discovered in OAR, which 
 +affects all previous versions of OAR. This vulnerability allows any user 
 +of a cluster managed by OAR to read parts of data which are not supposed 
 +to be readable by the userThis vulnerability might be exploited to 
 +gain root privileges on the clusterIt is in particular known to 
 +eventually allow one to disclose part of private ssh keys (CVE-2016-1235).
  
-As usually, OAR 2.5.7 is distributed as RPM ([[download#rpms|(OAR dedicated repository]]) or Debian ([[download#debian|Debian official repository]]) packages.+As usually, OAR 2.5.7 is distributed as RPM ([[download#rpms|OAR dedicated repository]]) or Debian ([[download#debian|Debian official repository]]) packages.
  
 == Note for Debian stable and old stable == == Note for Debian stable and old stable ==
  
-Versions of packages are frozen in Debian stable distibutions. Therefore, security update packages are also provided for Jessie (Debian 8): //2.5.4-2+deb8u1// and Wheezy (Debian 7): //2.5.2-3+deb7u1//. Those packages fix the vulnerability+Versions of packages are frozen in Debian stable distributions. 
- +Therefore, security update packages are also provided for Jessie (Debian 
-Nevertheless, for those stable distributions, we recommend using the [[http://backports.debian.org|backports]] package sources, in order to benefit from all the changed which by the last versions brought, along with the security fix.+8): //2.5.4-2+deb8u1// and Wheezy (Debian 7): //2.5.2-3+deb7u1//. Those packages 
 +fix the vulnerability.
  
 +However, for those stable distributions, we recommend using the
 +[[http://backports.debian.org|backports]] package sources, in order to install OAR 2.5.7 and benefit from all the changed which the last versions bring, along with the security fix.
  
 ===== Changelog ===== ===== Changelog =====
Line 24: Line 34:
 recommanded to upgrade, since all previous versions of OAR are affected. recommanded to upgrade, since all previous versions of OAR are affected.
  
-  * [oarsh] fix a security hole when passing option to OpenSSH. See oar.conf to +  * [oarsh] fix a security hole when passing option to OpenSSH. See oar.conf to adapt settings to your setup, if required (OARSH_* variables) 
-    adapt settings to your setup, if required (OARSH_* variables) +  * [oarsh] dropped the mechanism to select whether to use oarsh or fall back to ssh, given a list of hostname patterns
-  * [oarsh] dropped the mechanism to select whether to use oarsh or fall back  +
-    to ssh, given a list of hostname patterns+
   * [oarsub] fix the job-key information of the manual page   * [oarsub] fix the job-key information of the manual page
   * [oarsub] handle cases where trailing spaces were breaking oarsub script directives   * [oarsub] handle cases where trailing spaces were breaking oarsub script directives
oar_2.5.7.txt · Last modified: 2016/04/07 18:08 by neyron
Recent changes RSS feed GNU Free Documentation License 1.3 Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki