perfSONAR User Q&A and Other Discussion

[Mark Feit <>]

Bidwell, Matt writes:

 

I guess the simple question is, how does the Perfsonar project manage and respond to CVE's?

The simple answer is that we fix security vulnerabilities and get a new release out as quickly as we can after being made aware of their existence.

Once a release is out, the mirrors can take up to 24 hours to update and systems following our installation recommendations can take up to 24 hours more apply the updates.  Installations in North America tend to get perfSONAR updates from Internet2, which is the source for the mirrors, and don’t suffer from the update lag.  Should we decide that an update is so critical that it must be applied immediately, we will send a note to this list and the announcement list.

We will, on occasion, comment on CVEs that affect perfSONAR systems but are otherwise out of our hands as we did earlier this month:  https://lists.internet2.edu/sympa/arc/perfsonar-user/2024-07/msg00000.html

The more complex background is I couldn't really find the answer to this myself. For example, I know about CVE-2024-26306 and CVE-2023-7250 against iperf3 because I'm a paying RedHat customer. Working backwards from knowing the CVE numbers, I couldn't find any reference in the ESNet Github, 'rpm -q --changelog iperf3' or 'yum changelog iperf3'. I found an email here announcing the release of a new version of iperf3 fixing CVE-2024-26306 in version 3.17.

ESnet is a development partner in the perfSONAR project but iperf3 is entirely theirs and we don’t speak for them.  You’ll find their contact information and a link to their discussion form in the iperf3 README:  https://github.com/esnet/iperf/blob/master/README.md.

perfSONAR gets iperf3 release announcements at the same time as everyone else and, as a courtesy, they’re sent to this list.  If an iperf3 release is security-related and considered critical, we’ll get that pushed out to the perfSONAR repo since we tend to distribute a later version than the OS distributors.  Because iperf3 is third-party relative to us, our RPM packaging of that software does not include their change log.  For Debian, it’s kept down to “New upstream version.”

The next previous CVE email was log4j over 2 years ago.  Is there somewhere else I should be looking, and can I suggest making sure it's mentioned in Github release notes/ rpm changelogs?

Any release that contains changes to fix a CVE includes a mention of it in the release notes.  Those releases were 4.0.2 (CVE-2017-9798) and 4.4.6 (CVE-2022-45213 and CVE-2022-45027).  CVE 2022-41412 was patched in 4.4.5, but I’m pretty sure the release notes  for that were written before the CVE was.

If I can toot this project’s collective horn for a moment, that very-short list is all there is.  More often than not, problems are resolved and a new release is out before anyone bothers to write a CVE.  The record notification-to-release turnaround during my nine-year tenure here is about four hours and less than 24 hours is typical on weekdays.  perfSONAR is fortunate to have developers that are well-seasoned, good at what they do and make decisions that make security problems a rarity.

Hope that answers your question.

--Mark