Security patch available for GCSv5.4

[Jason Alt]

We have released a security patch to GCS v5.4 that fixes bugs in the enforcement of (a) the policy that requires the user must have authenticated with the required domain within the authentication timeout, and (b) the requirement of valid consents for data access. These bugs impact only HTTPS access to data on mapped collections that do not handle high assurance data.  All other versions of Globus endpoints and collection types are unaffected.  Please update your deployment as described below.

These bugs impact only GCS v5.4 endpoints using mod-globus prior to version 0.51 with mapped collections that do not support high assurance data.  Please see the following instructions to check if your endpoint is impacted and update, if necessary. 

To determine the package version on Redhat or CentOS:

$ rpm -q mod-globus

mod-globus-0.50-1.el7+gcs5.x86_64

To determine the package version on Debian or Ubuntu:

$ dpkg -s libapache2-mod-globus | grep '^Version:'

Version: 0.50-1+gcs5.bionic

To update on Redhat or CentOS:

$ sudo yum clean all

$ sudo yum update mod-globus

To update on Debian or Ubuntu:

$ sudo apt update

$ sudo apt install libapache2-mod-globus

CHANGELOG

• Enforce required domain policy for HTTPS access to mapped collections that do not handle high assurance data.

• Enforce revoked consents for HTTPS access to mapped collections that do not handle high assurance data.

Please contact sup...@globus.org if you have any questions or concerns.

Thanks,

Jason Alt