I tried removing the fedora.war but no dice. However, right after I tried that, I did determine that the problem relates to the fact that we have some custom files in this Fedora deployment (it's our test box). Once I moved them, 3.3.1 appeared. Interesting.
Thanks for your input, Jeremy -----Original Message----- From: Chris Wilper [mailto:cwil...@duraspace.org] Sent: Thursday, October 21, 2010 9:32 AM To: fcrepo-user Subject: Re: [fcrepo-user] Important Security Update for all Fedora Repository Installations Hi Jeremy, It should definitely say Fedora 3.3.1 if the new jar is in use and the old one has been removed -- I just double-checked in my own environment. If you're using a custom-configured Tomcat or other servlet container it may be that the original WAR file is being used rather than what's in the WEB-INF directory. If that's the case, try removing the fedora.war file (e.g. in tomcat/webapps/) to make sure it's using what's in the fedora subdirectory, and not the original war file. - Chris On Thu, Oct 21, 2010 at 7:21 AM, Gottwig, Jeremy M. (GSFC-272.0)[ZIMMERMAN & ASSOC.] <jeremy.m.gott...@nasa.gov> wrote: > I deployed these changes today to both 3.3 and a 3.4 installs using the > process described in the README. Under fedora/describe on 3.4, I now see > 3.4.1. Under 3.3, fedora/describe still says 3.3. I have verified that the > original fcrepo-server-3.3.jar is gone, and I restarted Tomcat several times > in the process of trying to figure out the problem. > > > > It’s not a huge deal, considering that we have a custom frontend, and both > Fedora deployments are inaccessible to the public, but I was just curious if > anyone else has experienced this same behavior. > > > > From: Daniel Davis [mailto:dda...@fedora-commons.org] > Sent: Tuesday, October 19, 2010 8:15 PM > To: Fedora Commons Users > Subject: [fcrepo-user] Important Security Update for all Fedora Repository > Installations > > > > Security Notice from the Fedora Repository Committers: > > October 19, 2010 > > This is a notification that a “Denial of Service” (DOS) vulnerability that > affects all Fedora Version 2 and 3 versions has been found during code > review and has been verified in testing. However, there have been no known > attacks on any public or private Fedora repository. Our review indicates > this vulnerability can corrupt the Fedora database in a way that will cause > failure of your operating repository. However, it cannot be used to damage > your archival storage. Fortunately, the repository may be recovered through > the use of the rebuilder utility but until your system is patched it could > be subject to additional DOS attacks. > > A set of patches for Fedora 3.3 and Fedora 3.4 as well as a full release of > Fedora 3.4.1 in which the issue is fixed has been posted on SourceForge. We > ask you contact your repository operator immediately about the issue. If > you are using Fedora 3.0 through 3.2, we urge you to update to patched > copies of Fedora 3.3 or 3.4, or the 3.4.1 release at your earliest > opportunity. The security releases may be found at: > > http://sourceforge.net/projects/fedora-commons/files/fedora/3.3.1/ > http://sourceforge.net/projects/fedora-commons/files/fedora/3.4.1/ > > The instructions for installation may be found in the README files at the > above locations along with the downloads. Additional information may be > found on the DuraSpace Wiki in the Fedora Repository 3.4 Documentation > (http://wiki.duraspace.org/x/AgAU). > > Unfortunately, Fedora 2 repositories remain vulnerable; a patch to Fedora 2, > whose code base was declared at “end-of-life” two years ago, has proven > beyond our resources at this time. Because of this, we will not being > providing details about potential exploits in the near term. Fedora 2 > installations are still of great concern to the Fedora committers since we > know there are many installations in our community who may not be in a > position to update to the latest Fedora release. We are seeking resources or > volunteers to fix Fedora 2 but, at this time, we are not able to commit to a > timeline for this work. > > If you cannot update soon please read the following section containing > suggestions that may help mitigate the vulnerability of your repository. > Your installation may have minimal risk if Fedora is not directly exposed to > un-trusted users. You should: > > Restrict access to Field Search including for front applications which pass > unmodified query parameter text directly from users > Restrict access from anonymous users for: > > API-A Lite “get” operations > REST API “get” operations > REST API “findObjects” operations > > Restrict ingest of new digital objects from un-trusted users > > If you have front-end applications (like Islandora or Muradora) which > control access, the format of queries, or FOXML ingest or modifications your > risks are mitigated. It is best if direct access to Fedora is hidden from > users and only your front-end applications are exposed. In all cases, we > recommend close monitoring of your repository. > > This notification is to warn operators of production Fedora repositories. > Please notify us if you have a sudden, unexplained failure of your system. > As with all software, security issues may arise. We are collecting contact > information for a responsible person for each production Fedora systems to > help the notification process. Could you or your repository administrator > please provide us with a suitable contact? If you know of any other > production Fedora repositories, could you provide a suitable contact for it? > > If you have any questions or are operating a Fedora system in production > please contact dda...@duraspace.org or cwil...@duraspace.org. > > -- > > Daniel W. Davis > > Cornell University, Computing and Information Science > > DuraSpace Affiliate > > http://duraspace.org > > dda...@duraspace.org > > dwda...@cs.cornell.edu > > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
