This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
oar_2.5.7 [2016/04/07 17:04] – neyron | oar_2.5.7 [2016/04/07 17:29] – neyron | ||
---|---|---|---|
Line 6: | Line 6: | ||
===== Forword ===== | ===== Forword ===== | ||
- | Thanks to Emmanuel Thomé, | + | This version mainly brings |
+ | **highly recommended to upgrade (server, frontend(s) and nodes)**, since all | ||
+ | previous versions of OAR are affected. | ||
- | **OAR 2.5.7 fixes this vulnerability. | + | Thanks to Emmanuel Thomé, a vulnerability was discovered in OAR, which |
+ | affects all previous versions of OAR. This vulnerability allows any user | ||
+ | of a cluster managed by OAR to read parts of data which are not supposed | ||
+ | to be readable by the user. This vulnerability | ||
+ | gain root privileges on the cluster. It is in particular known to | ||
+ | eventually allow one to disclose part of private ssh keys (CVE-2016-1235). | ||
As usually, OAR 2.5.7 is distributed as RPM ([[download# | As usually, OAR 2.5.7 is distributed as RPM ([[download# | ||
Line 14: | Line 21: | ||
== Note for Debian stable and old stable == | == Note for Debian stable and old stable == | ||
- | Versions of packages are frozen in Debian stable | + | Versions of packages are frozen in Debian stable |
- | + | Therefore, security update packages are also provided for Jessie (Debian | |
- | Nevertheless, | + | 8): // |
+ | fix the vulnerability. | ||
+ | Nevertheless, | ||
+ | [[http:// | ||
===== Changelog ===== | ===== Changelog ===== |