[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] [Condor-world] Condor 6.6.11 released

Condor 6.6.11 has been released. This release contains important 
security fixes.  We expect 6.6.11 to be the final release of the 6.6.x 
series.  We strongly recommend sites running earlier versions of the 
6.6.x series to upgrade to 6.6.11.

A security team at UW-Madison is conducting an ongoing security audit
of the Condor system and has identified a few important
vulnerabilities.  Condor versions 6.6.11 and 6.7.18 fix these security
problems and other bugs.  There have been no reported exploits, but
all sites are urged to upgrade immediately.

The Condor Team will publish detailed reports of these vulnerabilities
on 2006-04-24, four weeks from the date when the fixes were first
released (2006-03-27).  This will allow all sites time to upgrade
before enough information to exploit these bugs is widely available.

Summary of vulnerabilities fixed in this release:

* Bugs in previous versions of Condor could allow any user who can
   submit jobs on a machine to gain access to the "condor" account (or
   whatever non-privileged user the Condor daemons are running as).
   This bug can not be exploited remotely, only by users already logged
   onto a submit machine in the Condor pool.

* The security of the "condor_config_val -set" feature was found to be
   insufficient, so this feature is now disabled by default.  There are
   new configuration settings to enable this feature in a secure
   manner.  Please read the descriptions of ENABLE_RUNTIME_CONFIG,
   configuration file shipped with the latest Condor releases, or in
   the Condor manual.

The Version History containing the full details of what's new in 6.6.11 
can be found here:


Enjoy 6.6.11!

UW Madison Condor Team
Condor-world mailing list