Security Patch for MDS2 in Globus Toolkit 4.0

Please note that in the GT4 pre-WS build, MDS2 is not installed by default. This is because of security concerns with two third-party libraries, Open LDAP v.2.0.22 and Cyrus SASL (v. 1.5.27). That version of OpenLDAP has security vulnerabilities that are no longer being patched due to the age of the version (the current version is 2.2.25). This means that anyone who runs MDS2 on their server has a chance of being affected by this, although we have no reported cases of this occurring. A similar situation exists for the version of Cyrus SASL we are using although this can be avoided by not using MDS2 in secure-mode.

An unsupported, minimally-tested version of MDS2 based on more recent, more secure versions of OpenLDAP and Cyrus SASL is available for download below; however, we strongly recommend that any MDS2 users upgrade their system to use the new WSRF-based MDS4, and we will be happy to work with you to make this possible for your project. Please note that in GT4, MDS2 is a deprecated component, which means that it will not be included in the GT4.2 release, nor supported once GT4.4 exists.

Patch

This patch consists of 2 source tarballs based on two original GT src bundles releases:

We have brought in newer SASL and Openldap code into MDS2 code base and patched and updated related modules. We used cyrus-sasl-2.1.20 and openldap-2.2.23. Both new SASL and Openldap sources were modified directly instead of generating a separate patch-and-build file.

Installing the patch

Both tarballs are complete source tarballs (instead of just patch files) and can be built with GPT:

  1. Untar the files and cd into the resulting directory.
  2. Run build_gpt.
  3. Set the environment variable GLOBUS_LOCATION to the directory where you would like the bundles installed, then run:
    gpt-build [bundle] gcc32dbgpthr
    Replace [bundle] with the name of a bundle (for example, globus-information-services-client-4.0).
  4. Source $GLOBUS_LOCATION/etc/globus-user-env.{sh,csh} depending on shell.
    .sh for Bourne shell
    .csh for C shell
  5. Run gpt-postinstall

Note: There will be many warnings about "too many arguments for format" during compilation. These warnings should not affect the working of the code. They are due to the newer error message output routine that newer OpenLDAP has adopted but we did not update to it.

List of changes

Here is a quick list of affected modules and changes that were made:

Module Changes
globus_mds_gris_setup-2.9
  • Need to remove some lines for grid-info-resource.schema (intergerMatch cannot have that case entry)
  • Added 'allows update_anon' to grid-info-slapd.conf.in
globus_ldapmodules-0.15 (ldif/gris) Since the interface and underlying data structure and some utility code were changd in openldap, had to hack in newer code and zapped some old code.
globus_mds_back_giis-0.9 Same as above.
globus_openldap-0.8
  • Add the new addition in ldap_r's tpool.c
  • Changes in client/ldapmodify and ldapsearch and common for timeout and referral via gsi
globus_cyrus-sasl-0.5 A little bit of configuration hacking because of gpt's funny directory.
globus_sasl_gssapi_gsi-0.3 Brought in newer sasl gssapi plugin code and added the changes needed for gsi