Skip Menu | Logged in as guest | Logout
 
New messages
There are unread messages on this ticket. You can jump to the first unread message or jump to the first unread message and mark all messages as seen.
Ticket metadata
The Basics
Id: 3781
Status: resolved
Priority: 3/0
Queue: vdt-internal
Custom Fields
Fixed in: 1.10.1h
Fix scheduled: CUR
People
Owner: Tim Cartwright
Requestors: Alain Roy
Cc:
AdminCc:
Reminders
New reminder:
Dates
Created: Fri Aug 22 17:26:42 2008
Starts: Not set
Started: Tue Aug 26 10:04:32 2008
Last Contact: Tue Sep 02 15:30:32 2008
Due: Sun Sep 14 00:00:00 2008
Closed: Wed Sep 03 10:58:35 2008
Updated: Wed Sep 03 10:58:50 2008 by cat
Links
Depends on: (Create)
Depended on by: (Create)
Parents: (Create)
Children: (Create)
Refers to: (Create)
Referred to by: (Create)

History Brief headersFull headers
# Fri Aug 22 17:26:42 2008 roy - Ticket created [Reply
Subject: Update Apache to 2.2.9 in VDT 1.10.1 by September 14th, 2008
Download (untitled) / with headers
text/plain 1.8k
We need to update to Apache 2.2.9 by September 14th, 2008.

Release notes:
http://www.apache.org/dist/httpd/Announcement2.2.html

This addresses two security advisories:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420

Jim Basney from the OSG Security Team presented the following analysis,
and Doug Olson from the OSG Security Team agreed with it.

> From: Jim Basney <jbasney@ncsa.uiuc.edu>
> Date: August 22, 2008 1:52:52 PM PDT
> To: Alain Roy <roy@cs.wisc.edu>
> Cc: Doug Olson <dlolson@lbl.gov>,
> "Kevin L. Buterbaugh" <klb@accre.vanderbilt.edu>,
> maltunay@fnal.gov,
> osg-security-team@OPENSCIENCEGRID.ORG
> Subject: Re: VDT shipping Apache with security vulnerability (was Re:
> OSG Security question)
>
> Apache httpd vulnerabilities are listed at:
> http://httpd.apache.org/security/vulnerabilities_22.html
>
> All vulnerabilities since httpd 2.2.3 are listed as moderate or low
impact.
>
> The mod_proxy_http and mod_proxy_balancer modules are included in VDT
> but are they enabled? I don't see any <Proxy> configurations in
> $VDT_LOCATION/apache/conf in my VDT 1.10.1 install, so I provisionally
> conclude that they are not enabled.
>
> I provisionally rate this as low urgency (to be addressed on a
> best-effort basis). I suggest that httpd in VDT 1.10 should be updated
> by 14 September 2008 (3 months since the update was released by Apache).
> I further suggest that there's not a need to update the httpd in VDT
> 1.8 at this time.
>
> Alain, do you know if anyone has attempted to use their system httpd
> with VDT rather than the httpd provided by VDT? That may be a quick
> work-around for Kevin to satisfy his local security personnel until the
> httpd in VDT is updated.
>
> Please feel free to question or correct any of my conclusions above.
# Fri Aug 22 17:26:56 2008 roy - Priority changed from (no value) to '3'
# Fri Aug 22 17:26:56 2008 roy - Fix scheduled CUR added
# Tue Aug 26 10:04:06 2008 cat - Taken
# Tue Aug 26 10:04:32 2008 cat - Status changed from 'new' to 'open'
# Tue Aug 26 10:04:51 2008 cat - Due changed from Not set to Sun Sep 14 00:00:00 2008
# Tue Aug 26 10:06:22 2008 cat - Subject changed from 'Update Apache to 2.2.9 in VDT 1.10.1 by September 14th, 2008' to 'Update to Apache 2.2.9'
# Tue Sep 02 15:30:31 2008 cat - Correspondence added [Reply
Download (untitled) / with headers
text/plain 150b
> Changes needed for the Apache 2.2.9 build, including a new, temporary patch to
> fix a build error on AIX.

This is a test comment for Alain. Again.
# Wed Sep 03 10:58:35 2008 cat - Status changed from 'open' to 'resolved'
# Wed Sep 03 10:58:50 2008 cat - Fixed in 1.10.1h added