[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] Condor 6.6.11 released
- Date: Tue, 28 Mar 2006 10:50:08 -0600
- From: Greg Thain <gthain@xxxxxxxxxxx>
- Subject: [Condor-users] Condor 6.6.11 released
Condor 6.6.11 has been released. This release contains important
security fixes. We expect 6.6.11 to be the final release of the 6.6.x
series. We strongly recommend sites running earlier versions of the
6.6.x series to upgrade to 6.6.11.
A security team at UW-Madison is conducting an ongoing security audit
of the Condor system and has identified a few important
vulnerabilities. Condor versions 6.6.11 and 6.7.18 fix these security
problems and other bugs. There have been no reported exploits, but
all sites are urged to upgrade immediately.
The Condor Team will publish detailed reports of these vulnerabilities
on 2006-04-24, four weeks from the date when the fixes were first
released (2006-03-27). This will allow all sites time to upgrade
before enough information to exploit these bugs is widely available.
Summary of vulnerabilities fixed in this release:
* Bugs in previous versions of Condor could allow any user who can
submit jobs on a machine to gain access to the "condor" account (or
whatever non-privileged user the Condor daemons are running as).
This bug can not be exploited remotely, only by users already logged
onto a submit machine in the Condor pool.
* The security of the "condor_config_val -set" feature was found to be
insufficient, so this feature is now disabled by default. There are
new configuration settings to enable this feature in a secure
manner. Please read the descriptions of ENABLE_RUNTIME_CONFIG,
ENABLE_PERSISTENT_CONFIG and PERSISTENT_CONFIG_DIR in the example
configuration file shipped with the latest Condor releases, or in
the Condor manual.
The Version History containing the full details of what's new in 6.6.11
can be found here:
UW Madison Condor Team