Hello Roberto, I have just returned from a two week canoe camping trip (no electricity, no internet). I saw this bug report just as I left town. I will be able to review your work next week.
I will have bit to catch up on Monday. I will take a look at this after I catch up. Thank you for putting in the time to address this issue. You will hear from me again next week. I should be able to review that the changes are correct and test on the various distributions. ...Tim On 7/17/20 3:13 PM, Roberto C. Sánchez wrote: > Condor maintainers, > > Could you provide your thoughts/feedback on the below? > > Regards, > > -Roberto > > On Sun, Jul 12, 2020 at 07:44:40AM -0400, Roberto C. Sánchez wrote: >> Hello all, >> >> Your feedback on the condor update situation (described below) would be >> appreciated. >> >> Several weeks ago I prepared updates for condor for jessie (then-LTS), >> stretch, and buster (the latter two still under the security team >> ubmrella) to address CVE-2019-18823. The description of the fix is "an >> information disclosure of authentication credentials could allow an >> attacker to impersonate an authenticated user and perform actions as >> that user." >> >> I messaged the security team to seek counsel regarding the best way to >> proceed with the update in stretch and buster with the intent of >> resolving that question before proceeding with the jessie update. The >> security team asked about what sort of testing had been performed. Not >> being a user of condor my ability test the changes is limited, and since >> the changes involve the authentication mechanisms, it would perhaps be >> unwise to publish the update without some form of testing. Thus far I >> have not taken further action. >> >> One the one hand it seems a shame to discard the prepared update, but on >> the other hand the security team's concern regarding potential >> regressions is quite correct. >> >> Does anyone have any specific suggestions? That is, is anyone able to >> offer to test these packages or know someone who might be able to? >> Apart from that, might there be an approach to minimize the possibility >> of a regression? >> >> Regards, >> >> -Roberto >> >> -- >> Roberto C. Sánchez -- Tim Theisen Release Manager HTCondor & Open Science Grid Center for High Throughput Computing Department of Computer Sciences University of Wisconsin - Madison 4261 Computer Sciences and Statistics 1210 W Dayton St Madison, WI 53706-1685 +1 608 265 5736
