Has IBM released or does IBM plan to release a fix in the 5.0.3.x branch? On Wed, Apr 22, 2020 at 8:45 AM Felipe Knop <[email protected]> wrote:
> Stephan, > > Security bulletins need to go through an internal process, including legal > review. In addition, we are normally required to ensure the fix is > available for all releases before the security bulletin can be published. > Because of that, we normally don't list details for security fixes in > either the readmes or APARs, since the information can only be disclosed in > the bulletin itself. > > ---- > The bulletin below has: > > If you cannot apply the latest level of service, contact IBM Service for > an efix: > > - For IBM Spectrum Scale V5.0.0.0 through V5.0.4.1, reference APAR IJ23438 > > - For IBM Spectrum Scale V4.2.0.0 through V4.2.3.20, reference APAR > IJ23426 > "V5.0.0.0 through V5.0.4.1" should have been "V5.0.0.0 through V5.0.4.2". > (I have asked the text to be corrected) > > > > Felipe > > ---- > Felipe Knop [email protected] > GPFS Development and Security > IBM Systems > IBM Building 008 > 2455 South Rd, Poughkeepsie, NY 12601 > (845) 433-9314 T/L 293-9314 > > > > > ----- Original message ----- > From: Stephan Graf <[email protected]> > Sent by: [email protected] > To: <[email protected]> > Cc: > Subject: [EXTERNAL] Re: [gpfsug-discuss] GPFS vulnerability with possible > root exploit on versions prior to 5.0.4.3 (and 4.2.3.21) > Date: Wed, Apr 22, 2020 5:04 AM > > Hi > > I took a lookat the "Readme and Release notes for release 5.0.4.3 IBM > Spectrum Scale 5.0.4.3 > Spectrum_Scale_Data_Management-5.0.4.3-x86_64-Linux Readme" > But I did not find the entry which mentioned the "For IBM Spectrum Scale > V5.0.0.0 through V5.0.4.1, reference APAR IJ23438" APAR number which is > mentioned on the "Security Bulletin: A vulnerability has been identified > in IBM Spectrum Scale where an unprivileged user could execute commands > as root ( CVE-2020-4273)" page. > > shouldn't it be mentioned there? > > Stephan > > > Am 22.04.2020 um 10:19 schrieb Jaime Pinto: > > In case you missed (the forum has been pretty quiet about this one), > > CVE-2020-4273 had an update yesterday: > > > > > https://www.ibm.com/support/pages/node/6151701?myns=s033&mynp=OCSTXKQY&mync=E&cm_sp=s033-_-OCSTXKQY-_-E > > > > > > > If you can't do the upgrade now, at least apply the mitigation to the > > client nodes generally exposed to unprivileged users: > > > > Check the setuid bit: > > ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("ls -l > > /usr/lpp/mmfs/bin/"$9)}') > > > > Apply the mitigation: > > ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("chmod u-s > > /usr/lpp/mmfs/bin/"$9)}' > > > > Verification: > > ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("ls -l > > /usr/lpp/mmfs/bin/"$9)}') > > > > All the best > > Jaime > > > > . > > . > > . ************************************ > > TELL US ABOUT YOUR SUCCESS STORIES > > http://www.scinethpc.ca/testimonials > > ************************************ > > --- > > Jaime Pinto - Storage Analyst > > SciNet HPC Consortium - Compute/Calcul Canada > > www.scinet.utoronto.ca - www.computecanada.ca > > University of Toronto > > 661 University Ave. (MaRS), Suite 1140 > > Toronto, ON, M5G1M1 > > P: 416-978-2755 > > C: 416-505-1477 > > _______________________________________________ > > gpfsug-discuss mailing list > > gpfsug-discuss at spectrumscale.org > > http://gpfsug.org/mailman/listinfo/gpfsug-discuss > > > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at spectrumscale.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss > > > > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at spectrumscale.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss >
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
