perfSONAR User Q&A and Other Discussion

[Andrew Lake <>]

 Hi,

That package comes from a CentOS repo, it is not one we maintain. It’s possible CentOS will backport a change, but not sure how quickly that always happens for the medium issues like that one.  

I’m also not sure how the scanner in question is locating the vulnerability, but if it is just looking at version it’s likely not getting the whole picture since CentOS backports the patches. As is the case with most CentOS packages, the base version of the package is older but they backport patches for vulnerabilities. CentOS last updated that package a couple months ago, so it is still getting maintained. I can’t figure out a CVE that corresponds to the info provided by the scanner, so I am having trouble determining if it was already patched. 

The next version of perfSONAR (4.3) moves to python3 and thus will move ahead that package. That’s getting close to beta, and we’d rather not risk moving past the supported CentOS version since we then inherit responsibility of backporting more serious issues when they arise and likely RedHat/CentOS will be faster than us in those cases. 

Thanks,

Andy

On July 8, 2020 at 11:02:10 AM, Uhl, George D. (GSFC-423.0)[Arctic Slope Technical Services, Inc.] () wrote:

All,

 

Our security team identified a version of python-flask with a known vulnerability that they want patched.  The perfsonar repo currently doesn’t provide the latest patched version.  Would it be possible to include the fixed version in the perfsonar repo?

 

Thanks,

George Uhl

 

 

Path : Package - python-flask-0.10.1-5.el7_7|1
Installed version : 0.10.1
Fixed version : 0.12.3

·  Discovery

• First Discovered: 39 days ago
• Last Observed: 4 days ago

·  Host Information

• IP Address: x.x60.100 ( TCP )
• DNS: perfsonar-nsg-uat.sgw.earthdata.nasa.gov
• MAC Address: xxxxxxx
• NetBIOS: UNKNOWN\perfsonar-nsg-prod.sgw.earthdata.nasa.gov
• Repository: Individual Scan

·  Risk Information

• Risk Factor: Medium
• Vulnerability Priority Rating: 3.6
• CVSS v2 Base Score: 5.0
• CVSS v2 Temporal Score: 3.7
• CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
• CVSS v3 Base Score: 7.5
• CVSS v3 Temporal Score: 6.5
• CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

·  Exploit Information

• Patch Published: Apr 26, 2018
• Exploit Available: No
• Exploitability Ease: No known exploits are available

 

 

From: <> on behalf of Sowmya Balasubramanian <>
Reply-To: Sowmya Balasubramanian <>
Date: Monday, July 6, 2020 at 4:53 PM
To: perfSONAR-Developer <>, perfsonar-user <>
Subject: [EXTERNAL] [perfsonar-user] Lookup Service Round 3 testing - Jul 8-9

 

Hi All,

 

The perfSONAR Team will be testing the Lookup Service on July 8-9 (Wed-Thu). As done previously, a new instance containing the next release(that replaces backend with Elasticsearch) will be brought online.

 

*No changes* are required to the Toolkits/clients. 

 

We do not expect the service to be impacted. But, you may notice a dip in the number of hosts/interface records (for an hour or two), while the toolkits are switching to the new instance. 

 

After the testing is completed, the Lookup Service instance will be reverted back to the current production instance. 

 

An email will be sent right before the testing starts and when the testing has been completed.

 

Thank you for your cooperation.

 

Regards,

perfSONAR Team

--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user