gLite Security Updates

Security Updates are supported for existing gLite 3.1 and 3.2 services until April 2012. For more details, please check the gLite support calendar.

EGI SVG assessments

EGI SVG is the body carrying out assessments on security vulnerabilities. EGI SVG reports about software vulnerabilities found in the middleware. The assessment states the risk of the vulnerability, the date by which a fix should be provided and the list of affected services.

The gLite 3.1/3.2 release manager should join the EGI SVG tracker to be notified of new software vulnerabilities. Contact Linda Cornwall for more details on how to join the EGI SVG tracker.

Process to release a security update

  • Release management: Cristina Aiftimiei and Andrea Ceccanti
  • Maintenance of gLite 3.1 and 3.2 repositories and gLite web pages: Pablo Guerrero
  • EGI staged rollout: Mario David

Patch to release a security update

Note that the process described here is a shortcut to the Interim gLite release process for gLite 3.1 and 3.2. It intends to minimise the effort to prepare a security update.

When a security vulnerability affects a gLite 3.1/3.2 service and the fix needs to be released within the support dates defined in the gLite support calendar, the release manager opens a patch in the gLite Middleware patch tracker with the title gLite 3.1/3.2 security update X.

Note that one patch will be opened for 3.1 and one patch will be opened for 3.2 since the packages are not always the same in both cases.

The relevant PTs are contacted by the release manager to produce the needed packages. Once the packages are ready, the URL to the packages is provided under the RPM name field. The PTs attaches a test report file with the results of the performed tests (deployment and basic functionality related to the fix) and moves the patch into Certified.

No more metapackages are created, only the relevant packages fixing the security update are provided and included in the repositories of the services affected by the security vulnerability.

Staged rollout of the security update

The integration team prepares the staged rollout repositories for the set of affected services and moves the patch into Ready for rollout. The EGI staged rollout team starts the staged rollout of the security update.

Production release of the security update

When the patch is moved to Ready for production by the EGI staged rollout team, the integration team prepares the production repositories of the affected services.

The integration team contacts the EGI SVG to make sure the advisory is up to date and the link to it is made public.

The integration team updates the gLite web pages with the information relevant to the new security update:

gLite security 3.1/3.2 update X

List of affected services

gLite security update X addresses EGI security vulnerability advisory X [LINK].

Installation and Configuration 
- Run yum update


- Run yum install package-name (when new packages are needed, not defined as dependencies of the metapackage)

The package(s) can also be downloaded from the following URL(s):

Known issues

Describe any known issues associated to the security update.

The integration team sends a broadcast announcing the release of the new security update.

-- MariaALANDESPRADILLO - 25-Oct-2011

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r7 - 2011-11-15 - MariaALANDESPRADILLO
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback