** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG  ADVISORY [EGI-SVG-2015-8464] 

Title:       EGI SVG Advisory 'Low' RISK Buffer overflow vulnerability in xrootd client [EGI-SVG-2015-8464]

Date:        2015-05-13
Updated:     

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-8464

Introduction
============

A buffer overflow vulnerability has been found in the XRootD client. 

This has been fixed. 


Details
=======

A buffer overflow vulnerability has been found in the XRootD client.

If a client were to be directed to a malicious xrootd server it is possible that a compromised could occur.  This seems unlikely hence the risk category. 


Risk category
=============

This issue has been assessed as 'Low' risk by the EGI SVG  Risk Assessment Team 


Affected software
=================

This is fixed in XRootD release 4.1.2

Earlier releases are likely to be vulnerable. 


Mitigation
==========

N/A


Component installation information
==================================

See the XRootD web page. [R 1] 



Recommendations
===============

Sites should upgrade in due course.


Credit
======

This vulnerability was reported by Gerd Behrmann 


References
==========

[R 1] http://xrootd.org/


Comments
========

Comments or questions should be sent to <a href="/cgi-bin/wa?LOGON=A3%3Dind1505%26L%3DXROOTD-DEV%26E%3D7bit%26P%3D34900%26B%3D--MP_%252F7Yk%252B5%252Boum3WHTKVKoERJqnK%26T%3Dtext%252Fplain%3B%2520charset%3Dutf-8%3B%2520name%3D%2522Advisory-SVG-2015-8464-05-12.txt%2522%26N%3DAdvisory-SVG-2015-8464-05-12.txt%26attachment%3Dq" target="_parent" >[log in to unmask]</a>

We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. 


Timeline  
========
Yyyy-mm-dd

2015-04-10 Vulnerability reported by Gerd Behrmann 
2015-04-13 Acknowledgement from the EGI SVG to the reporter
2015-04-14 Software providers responded and involved in investigation
2015-04-17 Updated packages available 
2015-04-18 Assessment by the EGI Software Vulnerability Group reported. 
2015-05-12 Advisory written, delayed due to more serious issues taking priority
2015-05-13 Public disclosure



On behalf of the EGI SVG,


########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1