[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suggestions for handling of condor update

Hello Roberto,

I have just returned from a two week canoe camping trip (no electricity,
no internet). I saw this bug report just as I left town. I will be able
to review your work next week.

I will have bit to catch up on Monday. I will take a look at this after
I catch up.

Thank you for putting in the time to address this issue. You will hear
from me again next week.

I should be able to review that the changes are correct and test on the
various distributions.


On 7/17/20 3:13 PM, Roberto C. Sánchez wrote:
> Condor maintainers,
> Could you provide your thoughts/feedback on the below?
> Regards,
> -Roberto
> On Sun, Jul 12, 2020 at 07:44:40AM -0400, Roberto C. Sánchez wrote:
>> Hello all,
>> Your feedback on the condor update situation (described below) would be
>> appreciated.
>> Several weeks ago I prepared updates for condor for jessie (then-LTS),
>> stretch, and buster (the latter two still under the security team
>> ubmrella) to address CVE-2019-18823.  The description of the fix is "an
>> information disclosure of authentication credentials could allow an
>> attacker to impersonate an authenticated user and perform actions as
>> that user."
>> I messaged the security team to seek counsel regarding the best way to
>> proceed with the update in stretch and buster with the intent of
>> resolving that question before proceeding with the jessie update.  The
>> security team asked about what sort of testing had been performed.  Not
>> being a user of condor my ability test the changes is limited, and since
>> the changes involve the authentication mechanisms, it would perhaps be
>> unwise to publish the update without some form of testing.  Thus far I
>> have not taken further action.
>> One the one hand it seems a shame to discard the prepared update, but on
>> the other hand the security team's concern regarding potential
>> regressions is quite correct.
>> Does anyone have any specific suggestions?  That is, is anyone able to
>> offer to test these packages or know someone who might be able to?
>> Apart from that, might there be an approach to minimize the possibility
>> of a regression?
>> Regards,
>> -Roberto
>> -- 
>> Roberto C. Sánchez

Tim Theisen
Release Manager
HTCondor & Open Science Grid
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin - Madison
4261 Computer Sciences and Statistics
1210 W Dayton St
Madison, WI 53706-1685
+1 608 265 5736

Reply to: