I deployed these changes today to both 3.3 and a 3.4 installs using the process
described in the README. Under fedora/describe on 3.4, I now see 3.4.1. Under
3.3, fedora/describe still says 3.3. I have verified that the original
fcrepo-server-3.3.jar is gone, and I restarted Tomcat several times in the
process of trying to figure out the problem.
It's not a huge deal, considering that we have a custom frontend, and both
Fedora deployments are inaccessible to the public, but I was just curious if
anyone else has experienced this same behavior.
From: Daniel Davis [mailto:dda...@fedora-commons.org]
Sent: Tuesday, October 19, 2010 8:15 PM
To: Fedora Commons Users
Subject: [fcrepo-user] Important Security Update for all Fedora Repository
Installations
Security Notice from the Fedora Repository Committers:
October 19, 2010
This is a notification that a "Denial of Service" (DOS) vulnerability that
affects all Fedora Version 2 and 3 versions has been found during code review
and has been verified in testing. However, there have been no known attacks on
any public or private Fedora repository. Our review indicates this
vulnerability can corrupt the Fedora database in a way that will cause failure
of your operating repository. However, it cannot be used to damage your
archival storage. Fortunately, the repository may be recovered through the use
of the rebuilder utility but until your system is patched it could be subject
to additional DOS attacks.
A set of patches for Fedora 3.3 and Fedora 3.4 as well as a full release of
Fedora 3.4.1 in which the issue is fixed has been posted on SourceForge. We
ask you contact your repository operator immediately about the issue. If you
are using Fedora 3.0 through 3.2, we urge you to update to patched copies of
Fedora 3.3 or 3.4, or the 3.4.1 release at your earliest opportunity. The
security releases may be found at:
* http://sourceforge.net/projects/fedora-commons/files/fedora/3.3.1/
* http://sourceforge.net/projects/fedora-commons/files/fedora/3.4.1/
The instructions for installation may be found in the README files at the above
locations along with the downloads. Additional information may be found on the
DuraSpace Wiki in the Fedora Repository 3.4 Documentation
(http://wiki.duraspace.org/x/AgAU).
Unfortunately, Fedora 2 repositories remain vulnerable; a patch to Fedora 2,
whose code base was declared at "end-of-life" two years ago, has proven beyond
our resources at this time. Because of this, we will not being providing
details about potential exploits in the near term. Fedora 2 installations are
still of great concern to the Fedora committers since we know there are many
installations in our community who may not be in a position to update to the
latest Fedora release. We are seeking resources or volunteers to fix Fedora 2
but, at this time, we are not able to commit to a timeline for this work.
If you cannot update soon please read the following section containing
suggestions that may help mitigate the vulnerability of your repository. Your
installation may have minimal risk if Fedora is not directly exposed to
un-trusted users. You should:
* Restrict access to Field Search including for front applications which
pass unmodified query parameter text directly from users
* Restrict access from anonymous users for:
* API-A Lite "get" operations
* REST API "get" operations
* REST API "findObjects" operations
* Restrict ingest of new digital objects from un-trusted users
If you have front-end applications (like Islandora or Muradora) which control
access, the format of queries, or FOXML ingest or modifications your risks are
mitigated. It is best if direct access to Fedora is hidden from users and only
your front-end applications are exposed. In all cases, we recommend close
monitoring of your repository.
This notification is to warn operators of production Fedora repositories.
Please notify us if you have a sudden, unexplained failure of your system. As
with all software, security issues may arise. We are collecting contact
information for a responsible person for each production Fedora systems to help
the notification process. Could you or your repository administrator please
provide us with a suitable contact? If you know of any other production Fedora
repositories, could you provide a suitable contact for it?
If you have any questions or are operating a Fedora system in production please
contact dda...@duraspace.org<mailto:dda...@duraspace.org> or
cwil...@duraspace.org<mailto:cwil...@duraspace.org>.
--
Daniel W. Davis
Cornell University, Computing and Information Science
DuraSpace Affiliate
http://duraspace.org
dda...@duraspace.org<mailto:dda...@duraspace.org>
dwda...@cs.cornell.edu<mailto:dwda...@cs.cornell.edu>
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
