Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] cassandra security announcement

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] cassandra security announcement


Chronological Thread 
  • From: Andrew Lake <>
  • To: Andreas Haupt <>
  • Cc:
  • Subject: Re: [perfsonar-user] cassandra security announcement
  • Date: Thu, 2 Apr 2015 07:31:21 -0400

Hi,

Signed version of the RPMs have been committed. It may take a few hours for
them to propagate, so if you are still getting the unsigned message, please
be patient.

Thanks,
Andy


On Apr 2, 2015, at 2:41 AM, Andreas Haupt
<>
wrote:

> Hi Andrew,
>
> the updated package is unsigned and therefore not installed:
>
> [root@perfson1
> ~]# yum update
> Setting up Update Process
> Resolving Dependencies
> --> Running transaction check
> ---> Package cassandra20.noarch 0:2.0.7-1 will be updated
> ---> Package cassandra20.noarch 0:2.0.14-1 will be an update
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
> =========================================================================================================================================
> Package Arch Version
> Repository Size
> =========================================================================================================================================
> Updating:
> cassandra20 noarch 2.0.14-1
> Internet2 17 M
>
> Transaction Summary
> =========================================================================================================================================
> Upgrade 1 Package(s)
>
> Total size: 17 M
> Is this ok [y/N]: y
> Downloading Packages:
>
>
> Package cassandra20-2.0.14-1.noarch.rpm is not signed
> [root@perfson1
> ~]#
>
> Cheers,
> Andreas
>
> Am Mittwoch, den 01.04.2015, 21:00 -0400 schrieb Andrew Lake:
>> Hi all,
>>
>>
>> There was a CVE released today for cassandra, which is used by the
>> perfSONAR measurement archive software, esmond. You can find more
>> information here: http://seclists.org/bugtraq/2015/Apr/0. If you are
>> using the perfSONAR Toolkit distribution NO further action is required
>> to protect your host. The summary of the issue is that by default
>> cassandra listens on ports for JMX connections which allows remote
>> execution of java code. Since inclusion of cassandra on the Toolkit
>> last year, the Toolkit has a script that automatically turns these
>> ports off in the cassandra configuration. Furthermore, the default
>> iptables that the Toolkit installs block these ports had anything been
>> listening on them.
>>
>>
>> If you are running a standalone esmond instance you need to update and
>> restart cassandra. A few users have installed esmond separately from a
>> Toolkit host as a central measurement archive or similar. If you are
>> one of these users you need to run the following:
>>
>>
>> yum update cassandra20
>> /sbin/service cassandra restart
>>
>>
>> Note the restart of cassandra, so auto-updates alone aren't enough.
>> Please let us know if you have any questions.
>>
>>
>> Thank you,
>> The perfSONAR Development Team
>
> --
> | Andreas Haupt | E-Mail:
>
> | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt
> | Platanenallee 6 | Phone: +49/33762/7-7359
> | D-15738 Zeuthen | Fax: +49/33762/7-7216
>
>




Archive powered by MHonArc 2.6.16.

Top of Page