Merge pull request #39 from adciu/master

Updating to add OSG-SEC-2024-12-05-Stack-based-buffer-overflow-detected-in-XRootD-5.7.x.md

docs/OSGSecurityAnnouncements.md

@@ -1,5 +1,6 @@
 | Date        | Title                                                 | Contents/Link       |   Risk        |
 |-------------|-------------------------------------------------------|---------------------|---------------|
+| 2024-12-05  | Stack based buffer overflow detected in XRootD 5.7.x | [OSG-SEC-2024-12-05](./vulns/OSG-SEC-2024-12-05-Stack-based-buffer-overflow-detected-in-XRootD-5.7.x.md) |     |
 | 2024-10-03  | IDTOKEN Signing Key Present In OSG Hosted-CE Container Images | [OSG-SEC-2024-10-03](./vulns/OSG-SEC-2024-10-03.md) |     |
 | 2024-01-09  | HIGH SSH vulnerability exploitable in Terrapin attack | [OSG-SEC-2024-01-08](./vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md) |     |
 | 2023-10-11  | HIGH Severity GNU C Library Privilege Escalation | [OSG-SEC-2023-10-09](./vulns/OSG-SEC-2023-10-09.md) |     |

docs/vulns/OSG-SEC-2024-12-05-Stack-based-buffer-overflow-detected-in-XRootD-5.7.x.md

@@ -0,0 +1,40 @@
+# OSG-SEC-2024-12-05 Stack-based buffer overflow detected in XRootD 5.7.x
+
+Dear OSG Security Contacts,
+
+TLP:GREEN 
+
+XRootD team has announced a security vulnerability in XRootD 5.7.x. This vulnerability is a network-reachable stack-based buffer overflow that could allow an attacker to crash vulnerable XRootD installs.
+
+The official advisory[1] will be released to coincide with the public announcement of the XrootD 5.7.2 release. This security announcement is being sent to give time for sites to update prior to the official announcement; as such this announcement will not be publicly posted on our website until the official XRootD advisory is posted.
+
+## IMPACTED VERSIONS:
+XRootD 5.7.0 and 5.7.1
+
+## WHAT ARE THE VULNERABILITIES:
+This vulnerability consists in a stack-based buffer overflow coming from
+std::regex which may crash when matching very long lines. This would allow
+a malicious agent to cause a crash of either the client or the server when
+processing very long URLs or HTTP headers.
+
+## WHAT YOU SHOULD DO:
+All sites running XRootD 5.7.x should update immediately.
+
+XRootD 5.7.2 is currently available in the osg-testing repository [2]. It is also available via Github [3], XRootD release tarballs [4], and the XRootD repos [5].
+
+XRootD 5.6.9 and earlier are unaffected.
+
+## WORKAROUNDS
+
+There is no known workaround for this vulnerability, users of XRootD 5.7.0 and 5.7.1 should upgrade to XRootD 5.7.2.
+
+## REFERENCES
+[1] https://github.com/xrootd/xrootd/security/advisories/GHSA-hrvf-4x86-8xrq 
+[2] https://osg-htc.org/docs/common/yum/#repositories
+[3] https://github.com/xrootd/xrootd/releases/tag/v5.7.2
+[4] https://xrootd.web.cern.ch/download/v5.7.2/xrootd-5.7.2.tar.gz 
+[5] http://xrootd.org/dload.html#official-rpm-repositories
+
+Please contact the OSG security team at [email protected] if you have any questions or concerns.
+
+OSG Security Team 

mkdocs.yml

@@ -12,6 +12,7 @@ nav:
   - Overview: 'OSGSecurityAnnouncements.md'
   - Overview x86 vulnerabilities: 'OSGSecurityAnnouncements-x86.md'
 - Announcement Details:
+    - OSG-SEC-2024-12-05 Stack based buffer overflow detected in XRootD-5.7.x: './vulns/OSG-SEC-2024-12-05-Stack-based-buffer-overflow-detected-in-XRootD-5.7.x.md'
     - OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images: './vulns/OSG-SEC-2024-10-03.md'
     - OSG-SEC-2024-01-08 HIGH SSH vulnerability exploitable in Terrapin attacks: './vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md'
     - OSG-SEC-2023-09-26 CRITICAL PMIx race condition vulnerability affecting Slurm: './vulns/OSG-SEC-2023-09-26.md'