This is an old revision of the document!
Back to OAR versions
Release date: 2016-03-31
Thanks to Emmanuel Thomé, a vulnerability was discovered in OAR, which affects all previous versions of OAR. This vulnerability allows any user of a cluster managed by OAR to read parts of data which are not supposed to be readable by the user. This vulnerability might be exploited to gain root privileges on the cluster. It is in particular known to eventually allow one to disclose part of private ssh keys (CVE-2016-1235).
OAR 2.5.7 fixes this vulnerability. Upgrading is highly recommended.
As usually, OAR 2.5.7 is distributed as RPM ((OAR dedicated repository) or Debian (Debian official repository) packages.
Versions of packages are frozen in Debian stable distibutions. Therefore, security update packages are also provided for Jessie (Debian 8): 2.5.4-2+deb8u1 and Wheezy (Debian 7): 2.5.2-3+deb7u1. Those packages fix the vulnerability.
Nevertheless, for those stable distributions, we recommend using the backports package sources, in order to benefit from all the changed which by the last versions brought, along with the security fix.
This version mainly brings a security fix for the oarsh command. It is highly recommanded to upgrade, since all previous versions of OAR are affected.
adapt settings to your setup, if required (OARSH_* variables)
to ssh, given a list of hostname patterns