Security patch available for GCSv5.4

1 view
Skip to first unread message

Jason Alt

unread,
Aug 25, 2020, 11:32:23 AM8/25/20
to Developer Discuss, admin-...@globus.org

We have released a security patch to GCS v5.4 that fixes bugs in the enforcement of (a) the policy that requires the user must have authenticated with the required domain within the authentication timeout, and (b) the requirement of valid consents for data access. These bugs impact only HTTPS access to data on mapped collections that do not handle high assurance data.  All other versions of Globus endpoints and collection types are unaffected.  Please update your deployment as described below.


These bugs impact only GCS v5.4 endpoints using mod-globus prior to version 0.51 with mapped collections that do not support high assurance data.  Please see the following instructions to check if your endpoint is impacted and update, if necessary. 


To determine the package version on Redhat or CentOS:

$ rpm -q mod-globus

mod-globus-0.50-1.el7+gcs5.x86_64


To determine the package version on Debian or Ubuntu:

$ dpkg -s libapache2-mod-globus | grep '^Version:'

Version: 0.50-1+gcs5.bionic


To update on Redhat or CentOS:

$ sudo yum clean all

$ sudo yum update mod-globus


To update on Debian or Ubuntu:

$ sudo apt update

$ sudo apt install libapache2-mod-globus


CHANGELOG

  • Enforce required domain policy for HTTPS access to mapped collections that do not handle high assurance data.

  • Enforce revoked consents for HTTPS access to mapped collections that do not handle high assurance data.


Please contact sup...@globus.org if you have any questions or concerns.


Thanks,
Jason Alt
Reply all
Reply to author
Forward
0 new messages