perfSONAR Announcements

[Andrew Lake <>]

Hi,

New 3.3 LiveCD/USBs are now available with the aforementioned POODLE fixes:

LiveCD(i386):
http://software.internet2.edu/pS-Performance_Toolkit/previous_releases/pS-Performance_Toolkit-3.3.2-11-LiveCD-i386.iso
http://software.internet2.edu/pS-Performance_Toolkit/previous_releases/pS-Performance_Toolkit-3.3.2-11-LiveCD-i386.iso.md5

LiveCD(x86_64):
http://software.internet2.edu/pS-Performance_Toolkit/previous_releases/pS-Performance_Toolkit-3.3.2-11-LiveCD-x86_64.iso
http://software.internet2.edu/pS-Performance_Toolkit/previous_releases/pS-Performance_Toolkit-3.3.2-11-LiveCD-x86_64.iso.md5

LiveUSB(i386):
http://software.internet2.edu/pS-Performance_Toolkit/previous_releases/pS-Performance_Toolkit-3.3.2-11-LiveUSB-i386.iso
http://software.internet2.edu/pS-Performance_Toolkit/previous_releases/pS-Performance_Toolkit-3.3.2-11-LiveUSB-i386.iso.md5


LiveUSB(x86_64):
http://software.internet2.edu/pS-Performance_Toolkit/previous_releases/pS-Performance_Toolkit-3.3.2-11-LiveUSB-x86_64.iso
http://software.internet2.edu/pS-Performance_Toolkit/previous_releases/pS-Performance_Toolkit-3.3.2-11-LiveUSB-x86_64.iso.md5

Please let us know if you have any questions. Note this is for 3.3 LiveCD 
users only as there is no 3.4 LiveCD. 3.4 users should see the previous notes 
and should already have fixes available to them. 

Thanks,
Andy

On Oct 15, 2014, at 11:01 AM, Jason Zurawski 
<>
 wrote:

> Greetings;
> 
> This morning a new vulnerability in the SSLv3 libraries was disclosed.  The 
> colloquial name is 'POODLE', keeping up this year's tradition of catchy 
> ways to make you feel better about how you will spend part of your day 
> patching devices.  A write up is available here:
> 
> https://access.redhat.com/articles/1232123
> 
> And the full CVE from Redhat is here:
> 
> https://access.redhat.com/security/cve/CVE-2014-3566
> 
> The best way to summarize the risk is that someone attempting a man in the 
> middle could steal authorization headers from HTTP traffic, and gain entry 
> to a server.  This naturally impacts all servers implementing SSLv3 
> protocols, including the perfSONAR Toolkit.  There are no reports of 
> perfSONAR servers being victimized by this vulnerability, but the risk is a 
> danger for any communication that uses the vulnerable libraries.  
> 
> As of this morning (Oct 15 2014) there is not an upstream patch available 
> from CentOS to correct the underlying problem in the libraries for servers. 
>  Our development team has taken the steps to modify the Apache 
> configuration on the toolkit to disable use of SSLv3 within the 3.4 release 
> of perfSONAR.  A new package is available in our yum repository that 
> addresses this.  We are recommending that netinstall users:
> 
> - Check your logs to see if the package has been automatically downloaded 
> yet.  The package names are perl-perfSONAR_PS-Toolkit-3.4-29.pSPS and 
> perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.4-29.pSPS
> 
> - If you don't see it automatically downloaded, 'yum update' by hand.  
> 
> A modification to the 3.3.2 release of the LiveCD is being built, but will 
> take a more time. LiveCD users with concerns can power down, or expedite 
> your migration to the netinstall platform.  There will not be a 3.3 package 
> released for netinstall users who have not upgraded yet - take this 
> opportunity to upgrade to 3.4 if possible.  
> 
> We will keep everyone posted on when a patch from the upstream vendor is 
> released - for now we are confident that the changes we are implementing on 
> the server side will reduce the risk this vulnerability poses.  
> 
> Thanks;
> 
> -jason