Skip to navigation

Security Advisory Important: condor security update

Advisory: RHSA-2012:1168-1
Type: Security Advisory
Severity: Important
Issued on: 2012-08-14
Last updated on: 2012-08-14
Affected Products: Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 5)
CVEs (cve.mitre.org): CVE-2012-3416

Details

Updated condor packages that fix one security issue are now available for
Red Hat Enterprise MRG 2.1 for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Condor is a specialized workload management system for compute-intensive
jobs. It provides a job queuing mechanism, scheduling policy, priority
scheme, and resource monitoring and management.

Condor installations that rely solely upon host-based authentication were
vulnerable to an attacker who controls an IP, its reverse-DNS entry and has
knowledge of a target site's security configuration. With this control and
knowledge, the attacker could bypass the target site's host-based
authentication and be authorized to perform privileged actions (i.e.
actions requiring ALLOW_ADMINISTRATOR or ALLOW_WRITE). Condor deployments
using host-based authentication that contain no hostnames (IPs or IP globs
only) or use authentication stronger than host-based are not vulnerable.
(CVE-2012-3416)

Note: Condor will not run jobs as root; therefore, this flaw cannot lead to
a compromise of the root user account.

Red Hat would like to thank Ken Hahn and Dan Bradley for reporting this
issue.

All Red Hat Enterprise MRG 2.1 users are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
Condor must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 5)

SRPMS:
condor-7.6.5-0.14.2.el5.src.rpm
File outdated by:  RHSA-2013:1295
    MD5: 4ff9ec5b264d2ecfa84e2815d7aca8b5
SHA-256: bf1536025a2e5201786f5284bdf275ff8442a7bd1b214655cc4267cc681c6dbe
 
IA-32:
condor-7.6.5-0.14.2.el5.i386.rpm
File outdated by:  RHSA-2013:1295
    MD5: b6d3211b930b1153c5c0b0fb6ece0911
SHA-256: 114a6d38ec61a567705e2402fb673a5f21a8443f28be12c397b177f41a1919af
condor-aviary-7.6.5-0.14.2.el5.i386.rpm
File outdated by:  RHSA-2013:1295
    MD5: 67bb86c8b9754364803f11112ecc2af0
SHA-256: 993d4c43c68d4c155f97a89799d39b7a370f22bd5e5a974199039fdb6e8e414a
condor-classads-7.6.5-0.14.2.el5.i386.rpm
File outdated by:  RHSA-2013:1295
    MD5: 736a8d7b0403221cb7487ec98972fdf0
SHA-256: 731f55f8b4d28f9111eeebd52eec7dcc25996f90644310e69ae816732c23238a
condor-kbdd-7.6.5-0.14.2.el5.i386.rpm
File outdated by:  RHSA-2013:1295
    MD5: 8cc66e609afd9fd5edfee58f84a5066e
SHA-256: 12e7c2130d93d4bff55704b0b493b34c96ef3cc7cae952766412d466b0b71d0c
condor-qmf-7.6.5-0.14.2.el5.i386.rpm
File outdated by:  RHSA-2013:1295
    MD5: ce430fce226c4d93a4423c4a69b5206f
SHA-256: 2fe821b4afe90cfcb8b5418c71c91faa5c9cb45a7315548e5488abbdee88c18d
condor-vm-gahp-7.6.5-0.14.2.el5.i386.rpm
File outdated by:  RHSA-2013:1295
    MD5: 651e25b85440fdea20a93b5f193817a1
SHA-256: 68127f512b34519a42058e3b7602e6d5260b1737f2517b94f2960f4098216235
 
x86_64:
condor-7.6.5-0.14.2.el5.x86_64.rpm
File outdated by:  RHSA-2013:1295
    MD5: 322da374fb876ad503dae0a52d762f49
SHA-256: eb43efb55fbb566cfdf9a5e7ff51c6bac5dddd38ac00c59aee4cc44536f9ea90
condor-aviary-7.6.5-0.14.2.el5.x86_64.rpm
File outdated by:  RHSA-2013:1295
    MD5: fc018b2dbc9098d65c2a8a00b548279e
SHA-256: f2b6e4d0f930585449cadb1f249cac23c81932fbd6e2bf3815edf96307762c96
condor-classads-7.6.5-0.14.2.el5.x86_64.rpm
File outdated by:  RHSA-2013:1295
    MD5: 9776126ce1a153af516d3368f2cdea0b
SHA-256: 9cf13715bc2a9e53fbd958af6ebd51690c1f1040b6002e65d3b2502c5e919fa8
condor-kbdd-7.6.5-0.14.2.el5.x86_64.rpm
File outdated by:  RHSA-2013:1295
    MD5: dcc7290133b10dd32d6439914c49123c
SHA-256: bd98faa011bd962c5988b20b67b3d70d7da2ec77077d0fc767702be3715f4db8
condor-qmf-7.6.5-0.14.2.el5.x86_64.rpm
File outdated by:  RHSA-2013:1295
    MD5: e98adeb75864983ede3e6a8d3a22411a
SHA-256: ac132867262cd8a44b8fb1a22d47ba2dd817ea13bbf431e27d420b6ea682e45a
condor-vm-gahp-7.6.5-0.14.2.el5.x86_64.rpm
File outdated by:  RHSA-2013:1295
    MD5: 9b92c756a52544c39670c09436ce80ed
SHA-256: 27bfa549c5f86cc5ae38b293d7878db76d3d63c629684acc9ebd491e4a7060bf
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

841175 - CVE-2012-3416 condor: host based authentication does not implement forward-confirmed reverse dns


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/