[Thread Prev][Thread Next][Index]

[las_users] [Fwd: Important security information regarding Server3]

Below is a message regarding a security vulnerability in OPeNDAP server3.  Many LAS users may not be on the OPeNDAP mailing lists so we wanted to send this around to inform those who are not.  For those who are, many apologies for the repeated messages.

-------- Original Message --------
Subject: Important security information regarding Server3
Date: Wed, 25 Apr 2007 10:08:06 -0600
From: Gallagher James <jgallagher@xxxxxxxxxxx>
Organization: UCAR/Unidata
To: OPeNDAP Tech <opendap-tech@xxxxxxxxxxxxxxxx>, Opendap List <opendap@xxxxxxxxxxxxxxxx>


A problem has been found in the Server3 software which provides a way  
for people to run commands on the computer running the server. The  
best fix for this problem is to upgrade to Hyrax (aka. Server4). For  
those who want to continue running the old server, we will produce a  
patch which you can install, although the design of the new server is  
so much superior with respect to system security that I would urge  
everyone to carefully weigh the benefits of installing a patched  
version of the old server. Regardless of whether you choose to  
upgrade to Hyrax or patch your server, you should seriously consider  
stopping any instances of Server3 you are now running until you have  
addressed this issue.

How to determine if you have been affected by this problem: Look in  
your web server logs for evidence or people running commands.

Note that this _does not_ apply to site already running Hyrax; this  
problem only affects sites still running Server3.

If you would like help in upgrading your server, or if you have more  
questions, you can contact this list (you must subscribe first, see  
http://www.opendap.org/mailLists/index.html, me (jgallagher at  
opendap.org) or our user support (support-opendap@xxxxxxxxxxxxxxxx).  
Shortly we will add information to the OPeNDAP web page (opendap.org).

Once we have addressed the short-term issues presented by this  
problem, OPeNDAP will form a Security Working Group to develop a set  
of policies concerning general security issues and responses to  
problems. See http://docs.opendap.org/index.php/Working_Groups for  
information about the Working Groups.

We apologize for any inconvenience this may cause you.


James Gallagher                jgallagher at opendap.org
OPeNDAP, Inc                   406.723.8663

Kevin O'Brien                   UW/JISAO	
Research Scientist              NOAA/PMEL/TMAP
206-526-6751                    http://tmap.pmel.noaa.gov

"The contents of this message are mine personally and do 
 not necessarily reflect any position of the Government 
 or the  National Oceanic and Atmospheric Administration."

[Thread Prev][Thread Next][Index]

Contact Us
Dept of Commerce / NOAA / OAR / PMEL / TMAP

Privacy Policy | Disclaimer | Accessibility Statement