perfSONAR Announcements

[Jason Zurawski <>]

Greetings;

As of Weds evening, there has not been an announcement of additional 
vulnerabilities or patches from our upstream operating system provider.  For 
those keeping track at home, the best resource from Redhat on this issue can 
be found in these locations:

https://access.redhat.com/announcements/1210053
https://access.redhat.com/articles/1200223

There were 6 CVEs total announced:

> CVE-2014-6271
> CVE-2014-6277
> CVE-2014-6278 
> CVE-2014-7169
> CVE-2014-7186
> CVE-2014-7187

These link back to two specific errata pages that apply to the version of 
CentOS the perfSONAR toolkit is based on:

https://rhn.redhat.com/errata/RHSA-2014-1293.html
https://rhn.redhat.com/errata/RHSA-2014-1306.html

CVE 6271 was addressed with the 1st RPM.  CVEs 7169, 7186, and 7187 were 
addressed with the 2nd RPM.  The two unaccounted for CVEs (6277 and 6278) 
have this statement on their pages:

> Technical details of this flaw are currently not public. Red Hat believes 
> that changes introduced via updates RHSA-2014:1306, RHSA-2014:1311, and 
> RHSA-2014:1312 that prevent Bash from defining new functions based on 
> arbitrary environment variables sufficiently mitigate this issue. This 
> statement will be updated once more details are available.

While this doesn't have the feeling of 'final', it appears things are stable 
for the time being.  We will continue to monitor the situation.  

The perfSONAR project would like to remind everyone to stay on top of 
patching (and if you haven't run yum update to pull in the bash changes, or 
our own mitigations to reduce the risk footprint in using bash) please do so 
immediately (for users of v 3.3 and the 3.4 RCs).  For those that are still 
using the LiveCD, a new build is available, but we hope the recent events 
will help to convince that the LiveCD use case should be considered 
carefully.  

Please let us know if there are other questions or concerns: 


Thanks;

-jason