Important security information regarding Server3
John Cartwright
John.C.Cartwright at noaa.gov
Thu Apr 26 08:09:37 PDT 2007
Hi James,
can you also confirm that the problem does not affect the THREDDS Data
Server?
Thanks!
-- john
James Gallagher wrote:
>
> On Apr 26, 2007, at 6:29 AM, Peter Cornillon wrote:
>
>> Hi Jennifer,
>>
>> On Apr 26, 2007, at 7:13 AM, Jennifer Adams wrote:
>>
>>> This problem with security ... my assumption is that it doesn't
>>> affect GDS, which uses JDAP 1.1.7 (DAP 2.0). Is that correct?
>
> This problem does not affect GDS.
>
> Sorry for the delay.
>
> James
>>
>> To the best of my knowledge, the problem only affects the cgi/perl
>> based servers; that it should not be a problem for the GDS or the
>> TDS. James (of Dan) will confirm. James is on Mountain Time so won't
>> be on for another couple of hours.
>>
>> Peter
>>
>>> Jennifer
>>>
>>>
>>> On Apr 25, 2007, at 12:08 PM, Gallagher James wrote:
>>>
>>>> All:
>>>>
>>>> A problem has been found in the Server3 software which provides a
>>>> way for people to run commands on the computer running the server.
>>>> The best fix for this problem is to upgrade to Hyrax (aka.
>>>> Server4). For those who want to continue running the old server, we
>>>> will produce a patch which you can install, although the design of
>>>> the new server is so much superior with respect to system security
>>>> that I would urge everyone to carefully weigh the benefits of
>>>> installing a patched version of the old server. Regardless of
>>>> whether you choose to upgrade to Hyrax or patch your server, you
>>>> should seriously consider stopping any instances of Server3 you are
>>>> now running until you have addressed this issue.
>>>>
>>>> How to determine if you have been affected by this problem: Look in
>>>> your web server logs for evidence or people running commands.
>>>>
>>>> Note that this _does not_ apply to site already running Hyrax; this
>>>> problem only affects sites still running Server3.
>>>>
>>>> If you would like help in upgrading your server, or if you have
>>>> more questions, you can contact this list (you must subscribe
>>>> first, see http://www.opendap.org/mailLists/index.html, me
>>>> (jgallagher at opendap.org) or our user support
>>>> (support-opendap at unidata.ucar.edu
>>>> <mailto:support-opendap at unidata.ucar.edu>). Shortly we will add
>>>> information to the OPeNDAP web page (opendap.org).
>>>>
>>>> Once we have addressed the short-term issues presented by this
>>>> problem, OPeNDAP will form a Security Working Group to develop a
>>>> set of policies concerning general security issues and responses to
>>>> problems. See http://docs.opendap.org/index.php/Working_Groups for
>>>> information about the Working Groups.
>>>>
>>>> We apologize for any inconvenience this may cause you.
>>>>
>>>> James
>>>>
>>>> --
>>>> James Gallagher jgallagher at opendap.org
>>>> OPeNDAP, Inc 406.723.8663
>>>>
>>>>
>>>>
>>>
>>> --
>>> Jennifer M. Adams
>>> IGES/COLA
>>> 4041 Powder Mill Road, Suite 302
>>> Calverton, MD 20705
>>> jma at cola.iges.org <mailto:jma at cola.iges.org>
>>>
>>>
>>>
>>
>> ---
>> Peter Cornillon
>> 215 South Ferry Road Telephone: (401) 874-6283
>> Graduate School of Oceanography Fax: (401) 874-6728
>> University of Rhode Island Internet:
>> pcornillon at gso.uri.edu <mailto:pcornillon at gso.uri.edu>
>> Narragansett, Rhode Island 02882
>>
>>
>>
>>
>
> --
> James Gallagher jgallagher at opendap.org
> OPeNDAP, Inc 406.723.8663
>
>
>
More information about the Opendap-tech
mailing list