perfSONAR User Q&A and Other Discussion

[Hyojoon Kim <>]

Hello Antoine, 

Yes, now the upgrade works! Thank you! 

Regards,

Joon 

On Jul 19, 2016, at 2:18 PM, Antoine Delvaux <> wrote:

Hi Joon,

Some development packages made their way to our release repository although they were not ready for public release yet.  We have now removed them.

You should be able to correct your setup with the following commands:

apt-get update

apt-get purge perfsonar-toolkit perfsonar-toolkit-graphs perfsonar-toolkit-config-daemon perfsonar-toolkit-service-watcher

Let us know how it goes.

Thank you,

Antoine.

Le 11 juil. 2016 à 14:06, Hyojoon Kim <> a écrit :

Hello, 

I tried to upgrade perfsonar-toolkit on Ubuntu 14.04, and I got the following error message. Is this because chkconfig is no longer available on Ubuntu 14.04? Is there a known workaround? 

Thanks,

Joon 

==

# apt-get upgrade  perfsonar-toolkit*

Reading package lists... Done

Building dependency tree       

Reading state information... Done

Calculating upgrade... Done

Note, selecting 'perfsonar-toolkit-sysctl' for regex 'perfsonar-toolkit*'

Note, selecting 'perfsonar-toolkit' for regex 'perfsonar-toolkit*'

Note, selecting 'perfsonar-toolkit-graphs' for regex 'perfsonar-toolkit*'

Note, selecting 'perfsonar-toolkit-config-daemon' for regex 'perfsonar-toolkit*'

Note, selecting 'perfsonar-toolkit-service-watcher' for regex 'perfsonar-toolkit*'

Note, selecting 'perfsonar-toolkit-library' for regex 'perfsonar-toolkit*'

Note, selecting 'perfsonar-toolkit-security' for regex 'perfsonar-toolkit*'

Note, selecting 'perfsonar-toolkit-ntp' for regex 'perfsonar-toolkit*'

Note, selecting 'libperfsonar-toolkit-perl' for regex 'perfsonar-toolkit*'

libperfsonar-toolkit-perl is already the newest version.

perfsonar-toolkit-library is already the newest version.

perfsonar-toolkit-library set to manually installed.

perfsonar-toolkit-sysctl is already the newest version.

Some packages could not be installed. This may mean that you have

requested an impossible situation or if you are using the unstable

distribution that some required packages have not yet been created

or been moved out of Incoming.

The following information may help to resolve the situation:

The following packages have unmet dependencies:

 perfsonar-toolkit : Depends: chkconfig but it is not installable

 perfsonar-toolkit-service-watcher : Depends: chkconfig but it is not installable

E: Unable to correct problems, you have held broken packages.

==

On Jul 7, 2016, at 2:02 PM, Andrew Lake <> wrote:

All,

We wanted to make everyone aware of a few important security updates to perfSONAR packages that were published this morning. A special thanks to Luke Young for taking the time to find, document and provide a few patches for the items detailed below.  The updates address the following issues:

1. It was possible to generate a carefully crafted SOAP message that goes to the OPPD service that would allow an unauthenticated user to read arbitrary files from the filesystem as the 'perfsonar' user. This was done by exploiting a feature of LibXML that processes external entities. The ability to do so has since been disabled.

2. The second issue allowed someone logged-in to the host via SSH as an unprivileged user to escalate to root privileges using a combination of the Toolkit’s ConfigManager and BWCTL’s posthook feature. ConfigManager did not actually need access to the BWCTL config file anymore, so access to this file (and thus the posthook feature) has been removed. 

If you are running auto-updates, you should be getting the updates automatically. You can run “yum update libperfsonar* perfsonar-toolkit* perfsonar-oppd*” to get the changes manually on RedHat and "apt-get update && apt-get upgrade libperfsonar* perfsonar-toolkit* perfsonar-oppd*” on Debian. Please let us know if you have any questions.

Thank you,

The perfSONAR Development Team