Important security information regarding Server3

Thu Apr 26 05:29:37 PDT 2007

Hi Jennifer,

On Apr 26, 2007, at 7:13 AM, Jennifer Adams wrote:

> This problem with security ... my assumption is that it doesn't  
> affect GDS, which uses JDAP 1.1.7 (DAP 2.0). Is that correct?

To the best of my knowledge, the problem only affects the cgi/perl  
based servers; that it should not be a problem for the GDS or the  
TDS. James (of Dan) will confirm. James is on Mountain Time so won't  
be on for another couple of hours.

Peter

> Jennifer
>
>
> On Apr 25, 2007, at 12:08 PM, Gallagher James wrote:
>
>> All:
>>
>> A problem has been found in the Server3 software which provides a  
>> way for people to run commands on the computer running the server.  
>> The best fix for this problem is to upgrade to Hyrax (aka.  
>> Server4). For those who want to continue running the old server,  
>> we will produce a patch which you can install, although the design  
>> of the new server is so much superior with respect to system  
>> security that I would urge everyone to carefully weigh the  
>> benefits of installing a patched version of the old server.  
>> Regardless of whether you choose to upgrade to Hyrax or patch your  
>> server, you should seriously consider stopping any instances of  
>> Server3 you are now running until you have addressed this issue.
>>
>> How to determine if you have been affected by this problem: Look  
>> in your web server logs for evidence or people running commands.
>>
>> Note that this _does not_ apply to site already running Hyrax;  
>> this problem only affects sites still running Server3.
>>
>> If you would like help in upgrading your server, or if you have  
>> more questions, you can contact this list (you must subscribe  
>> first, see http://www.opendap.org/mailLists/index.html, me  
>> (jgallagher at opendap.org) or our user support (support- 
>> opendap at unidata.ucar.edu). Shortly we will add information to the  
>> OPeNDAP web page (opendap.org).
>>
>> Once we have addressed the short-term issues presented by this  
>> problem, OPeNDAP will form a Security Working Group to develop a  
>> set of policies concerning general security issues and responses  
>> to problems. See http://docs.opendap.org/index.php/Working_Groups  
>> for information about the Working Groups.
>>
>> We apologize for any inconvenience this may cause you.
>>
>> James
>>
>> --
>> James Gallagher                jgallagher at opendap.org
>> OPeNDAP, Inc                   406.723.8663
>>
>>
>>
>
> --
> Jennifer M. Adams
> IGES/COLA
> 4041 Powder Mill Road, Suite 302
> Calverton, MD 20705
> jma at cola.iges.org
>
>
>

---
Peter Cornillon
  215 South Ferry Road                    Telephone: (401) 874-6283
   Graduate School of Oceanography          Fax: (401) 874-6728
     University of Rhode Island                Internet:  
pcornillon at gso.uri.edu
      Narragansett, Rhode Island 02882

-------------- next part --------------