Important security information regarding Server3
Gallagher James
jgallagher at opendap.org
Wed Apr 25 09:08:06 PDT 2007
All:
A problem has been found in the Server3 software which provides a way
for people to run commands on the computer running the server. The
best fix for this problem is to upgrade to Hyrax (aka. Server4). For
those who want to continue running the old server, we will produce a
patch which you can install, although the design of the new server is
so much superior with respect to system security that I would urge
everyone to carefully weigh the benefits of installing a patched
version of the old server. Regardless of whether you choose to
upgrade to Hyrax or patch your server, you should seriously consider
stopping any instances of Server3 you are now running until you have
addressed this issue.
How to determine if you have been affected by this problem: Look in
your web server logs for evidence or people running commands.
Note that this _does not_ apply to site already running Hyrax; this
problem only affects sites still running Server3.
If you would like help in upgrading your server, or if you have more
questions, you can contact this list (you must subscribe first, see
http://www.opendap.org/mailLists/index.html, me (jgallagher at
opendap.org) or our user support (support-opendap at unidata.ucar.edu).
Shortly we will add information to the OPeNDAP web page (opendap.org).
Once we have addressed the short-term issues presented by this
problem, OPeNDAP will form a Security Working Group to develop a set
of policies concerning general security issues and responses to
problems. See http://docs.opendap.org/index.php/Working_Groups for
information about the Working Groups.
We apologize for any inconvenience this may cause you.
James
--
James Gallagher jgallagher at opendap.org
OPeNDAP, Inc 406.723.8663
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4003 bytes
Desc: not available
Url : http://mailman.opendap.org/pipermail/opendap-tech/attachments/20070425/1bce84c8/attachment.bin
More information about the Opendap-tech
mailing list