perfSONAR Announcements

[Jason Zurawski <>]

All;

The same fix for 3.3 is available in the 'vault' we are maintaining:

http://software.internet2.edu/vault/3.3

For those that have not upgraded to 3.4, they can enable the vault (and 
disable the main repo) so that yum uses it, or they can download/install the 
RPMs by hand.  

Thanks;

-jason

On Oct 16, 2014, at 12:37 AM, Roderick Mooi 
<>
 wrote:

> Hi all
> 
> For 3.3., as I understand these articles, disabling SSLv3 (if that's an 
> option for you) should mitigate the vulnerability.
> 
> https://access.redhat.com/articles/1232123
> https://access.redhat.com/solutions/1232413
> 
> In /etc/httpd/conf.d/ssl.conf
> remove +SSLv3 from the line:
> SSLProtocol -ALL +SSLv3 +TLSv1
> so that it becomes:
> SSLProtocol -ALL +TLSv1
> and restart httpd
> service httpd restart
> 
> Regards,
> 
> Roderick
> 
>>>> On 2014-10-15 at 17:01, Jason Zurawski 
>>>> <>
>>>>  wrote:
>> Greetings;
>> 
>> This morning a new vulnerability in the SSLv3 libraries was disclosed.  
>> The 
>> colloquial name is 'POODLE', keeping up this year's tradition of catchy 
>> ways 
>> to make you feel better about how you will spend part of your day patching 
>> devices.  A write up is available here:
>> 
>> https://access.redhat.com/articles/1232123 
>> 
>> And the full CVE from Redhat is here:
>> 
>> https://access.redhat.com/security/cve/CVE-2014-3566 
>> 
>> The best way to summarize the risk is that someone attempting a man in the 
>> middle could steal authorization headers from HTTP traffic, and gain entry 
>> to 
>> a server.  This naturally impacts all servers implementing SSLv3 
>> protocols, 
>> including the perfSONAR Toolkit.  There are no reports of perfSONAR 
>> servers 
>> being victimized by this vulnerability, but the risk is a danger for any 
>> communication that uses the vulnerable libraries.  
>> 
>> As of this morning (Oct 15 2014) there is not an upstream patch available 
>> from CentOS to correct the underlying problem in the libraries for 
>> servers.  
>> Our development team has taken the steps to modify the Apache 
>> configuration 
>> on the toolkit to disable use of SSLv3 within the 3.4 release of 
>> perfSONAR.  
>> A new package is available in our yum repository that addresses this.  We 
>> are 
>> recommending that netinstall users:
>> 
>> - Check your logs to see if the package has been automatically downloaded 
>> yet.  The package names are perl-perfSONAR_PS-Toolkit-3.4-29.pSPS and 
>> perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.4-29.pSPS
>> 
>> - If you don't see it automatically downloaded, 'yum update' by hand.  
>> 
>> A modification to the 3.3.2 release of the LiveCD is being built, but will 
>> take a more time. LiveCD users with concerns can power down, or expedite 
>> your 
>> migration to the netinstall platform.  There will not be a 3.3 package 
>> released for netinstall users who have not upgraded yet - take this 
>> opportunity to upgrade to 3.4 if possible.  
>> 
>> We will keep everyone posted on when a patch from the upstream vendor is 
>> released - for now we are confident that the changes we are implementing 
>> on 
>> the server side will reduce the risk this vulnerability poses.  
>> 
>> Thanks;
>> 
>> -jason