Below is a message regarding a security vulnerability in OPeNDAP server3. Many Ferret/LAS users may not be on the OPeNDAP mailing lists so we wanted to send this around to inform those who are not. For those who are, many apologies for the repeated messages. -------- Original Message --------
All: A problem has been found in the Server3 software which provides a way for people to run commands on the computer running the server. The best fix for this problem is to upgrade to Hyrax (aka. Server4). For those who want to continue running the old server, we will produce a patch which you can install, although the design of the new server is so much superior with respect to system security that I would urge everyone to carefully weigh the benefits of installing a patched version of the old server. Regardless of whether you choose to upgrade to Hyrax or patch your server, you should seriously consider stopping any instances of Server3 you are now running until you have addressed this issue. How to determine if you have been affected by this problem: Look in your web server logs for evidence or people running commands. Note that this _does not_ apply to site already running Hyrax; this problem only affects sites still running Server3. If you would like help in upgrading your server, or if you have more questions, you can contact this list (you must subscribe first, see http://www.opendap.org/mailLists/index.html, me (jgallagher at opendap.org) or our user support (support-opendap@xxxxxxxxxxxxxxxx). Shortly we will add information to the OPeNDAP web page (opendap.org). Once we have addressed the short-term issues presented by this problem, OPeNDAP will form a Security Working Group to develop a set of policies concerning general security issues and responses to problems. See http://docs.opendap.org/index.php/Working_Groups for information about the Working Groups. We apologize for any inconvenience this may cause you. James -- James Gallagher jgallagher at opendap.org OPeNDAP, Inc 406.723.8663 -- Kevin O'Brien UW/JISAO Research Scientist NOAA/PMEL/TMAP 206-526-6751 http://tmap.pmel.noaa.gov "The contents of this message are mine personally and do not necessarily reflect any position of the Government or the National Oceanic and Atmospheric Administration." |