| distributions such as CentOS6.</p></div><footer class="row docusaurus-mt-lg"><div class="col col--9"><b>Tags:</b><ul class="tags_jXut padding--none margin-left--sm"><li class="tag_QGVx"><a class="tag_zVej tagRegular_sFm0" href="/blog/tags/announcement">announcement</a></li></ul></div><div class="col text--right col--3"><a aria-label="Read more about What's coming in CloudMonkey v6.0.0" href="/blog/what-s-coming-in-cloudmonkey"><b>Read More</b></a></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><meta itemprop="description" content="Announcing Apache CloudStack LTS Maintenance Release 4.11.2.0"><header><h2 class="title_f1Hy" itemprop="headline"><a itemprop="url" href="/blog/announcing-apache-cloudstack-lts-maintenance1">Announcing Apache CloudStack LTS Maintenance Release 4.11.2.0</a></h2><div class="container_mt6G margin-vert--md"><time datetime="2018-11-26T00:00:00.000Z" itemprop="datePublished">November 26, 2018</time></div></header><div class="markdown" itemprop="articleBody"><p>Announcing Apache CloudStack LTS Maintenance Release 4.11.2.0</p><p>The Apache CloudStack project is pleased to announce the release of CloudStack 4.11.2.0 as part of its LTS 4.11.x releases. The CloudStack 4.11.2.0 release contains more than 70 fixes since the CloudStack 4.11.1.0 release. CloudStack LTS branches are supported for 20 months and will receive updates for the first 14 months. For the final six months only security updates are provided.</p></div><footer class="row docusaurus-mt-lg"><div class="col col--9"><b>Tags:</b><ul class="tags_jXut padding--none margin-left--sm"><li class="tag_QGVx"><a class="tag_zVej tagRegular_sFm0" href="/blog/tags/announcement">announcement</a></li></ul></div><div class="col text--right col--3"><a aria-label="Read more about Announcing Apache CloudStack LTS Maintenance Release 4.11.2.0" href="/blog/announcing-apache-cloudstack-lts-maintenance1"><b>Read More</b></a></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><meta itemprop="description" content="The Apache CloudStack project is pleased to announce the release of CloudStack 4.11.1.0 as part of its LTS 4.11.x releases. The CloudStack 4.11.1.0 release contains more than 130 fixes since the CloudStack 4.11.0.0 release. CloudStack LTS branches are supported for 20 months and will receive updates for the first 14 months. For the final six months only security updates are provided."><header><h2 class="title_f1Hy" itemprop="headline"><a itemprop="url" href="/blog/announcing-apache-cloudstack-lts-maintenance">Announcing Apache CloudStack LTS Maintenance Release 4.11.1.0</a></h2><div class="container_mt6G margin-vert--md"><time datetime="2018-07-03T00:00:00.000Z" itemprop="datePublished">July 3, 2018</time></div></header><div class="markdown" itemprop="articleBody"><p>The Apache CloudStack project is pleased to announce the release of CloudStack 4.11.1.0 as part of its LTS 4.11.x releases. The CloudStack 4.11.1.0 release contains more than 130 fixes since the CloudStack 4.11.0.0 release. CloudStack LTS branches are supported for 20 months and will receive updates for the first 14 months. For the final six months only security updates are provided.</p></div><footer class="row docusaurus-mt-lg"><div class="col col--9"><b>Tags:</b><ul class="tags_jXut padding--none margin-left--sm"><li class="tag_QGVx"><a class="tag_zVej tagRegular_sFm0" href="/blog/tags/announcement">announcement</a></li></ul></div><div class="col text--right col--3"><a aria-label="Read more about Announcing Apache CloudStack LTS Maintenance Release 4.11.1.0" href="/blog/announcing-apache-cloudstack-lts-maintenance"><b>Read More</b></a></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><meta itemprop="description" content="Recently, a number of security flaws were recently found in the DNSMasq tool. This tool is used by many systems to provide DNS and DHCP services, including by the CloudStack System VMs."><header><h2 class="title_f1Hy" itemprop="headline"><a itemprop="url" href="/blog/dnsmasq-vulnerabilities-advisory-for-cloudstack">Dnsmasq Vulnerabilities Advisory for CloudStack</a></h2><div class="container_mt6G margin-vert--md"><time datetime="2017-10-13T00:00:00.000Z" itemprop="datePublished">October 13, 2017</time></div></header><div class="markdown" itemprop="articleBody"><p>Recently, a number of security flaws were recently found in the DNSMasq tool. This tool is used by many systems to provide DNS and DHCP services, including by the CloudStack System VMs.</p><p>According to Google’s investigation into the software, out of seven issues, three — CVE-2017-14491, CVE-2017-14492, and CVE-2017-14493 — are remote code execution flaws caused by heap buffer overflow and stack buffer overflow errors through DHCP and DNS vectors.</p></div><footer class="row docusaurus-mt-lg"><div class="col col--9"><b>Tags:</b><ul class="tags_jXut padding--none margin-left--sm"><li class="tag_QGVx"><a class="tag_zVej tagRegular_sFm0" href="/blog/tags/announcement">announcement</a></li></ul></div><div class="col text--right col--3"><a aria-label="Read more about Dnsmasq Vulnerabilities Advisory for CloudStack" href="/blog/dnsmasq-vulnerabilities-advisory-for-cloudstack"><b>Read More</b></a></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><meta itemprop="description" content="The CloudStack security team recently received notice of a significant vulnerability in a CloudStack API call - registerUserKeys. The original intention for this call was for it to only be exposed for integration work - eg not to the public network in general. A weakness in the API call's implementation allows a malicious user to reset the API keys for other users on the system, thus accessing resources and services available to that user. We have released CloudStack versions 4.8.1.1 and 4.9.0.1 with patches for this issue. More details about the release can be read on the official announcement post."><header><h2 class="title_f1Hy" itemprop="headline"><a itemprop="url" href="/blog/apache_cloudstack_registeruserkeys_authorization_vulnerability">Apache CloudStack registerUserKeys authorization vulnerability</a></h2><div class="container_mt6G margin-vert--md"><time datetime="2016-10-27T00:00:00.000Z" itemprop="datePublished">October 27, 2016</time></div></header><div class="markdown" itemprop="articleBody"><p>The <a href="http://cloudstack.apache.org/security.html" target="_blank" rel="noopener noreferrer">CloudStack security team</a> recently received notice of a significant vulnerability in a CloudStack API call - registerUserKeys. The original intention for this call was for it to only be exposed for integration work - eg not to the public network in general. A weakness in the API call's implementation allows a malicious user to reset the API keys for other users on the system, thus accessing resources and services available to that user. We have released CloudStack versions 4.8.1.1 and 4.9.0.1 with patches for this issue. More details about the release can be read on the <a href="https://s.apache.org/qV5l" target="_blank" rel="noopener noreferrer">official announcement post</a>.</p></div><footer class="row docusaurus-mt-lg"><div class="col col--9"><b>Tags:</b><ul class="tags_jXut padding--none margin-left--sm"><li class="tag_QGVx"><a class="tag_zVej tagRegular_sFm0" href="/blog/tags/announcement">announcement</a></li></ul></div><div class="col text--right col--3"><a aria-label="Read more about Apache CloudStack registerUserKeys authorization vulnerability" href="/blog/apache_cloudstack_registeruserkeys_authorization_vulnerability"><b>Read More</b></a></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><meta itemprop="description" content="The first Apache CloudStack™ Collab conference of 2016 on June 1-3 2016 in beautiful Montreal, Canada. This conference is aimed at developers, operators and users to discuss and evolve the open source software project, its functionality and real world operability. Part talks, part workshops, part hackathon, this event will present a great opportunity for attendees and sponsors alike. CloudOps is thrilled to host this conference at its event space, Centre cloud.ca in the heart of the city."><header><h2 class="title_f1Hy" itemprop="headline"><a itemprop="url" href="/blog/apache_cloudstack_collab_conference_for">Apache CloudStack™ Collab Conference for June 2016</a></h2><div class="container_mt6G margin-vert--md"><time datetime="2016-04-13T00:00:00.000Z" itemprop="datePublished">April 13, 2016</time></div></header><div class="markdown" itemprop="articleBody"><p>The first <a href="http://cloudstackcollab.org" target="_blank" rel="noopener noreferrer">Apache CloudStack™ Collab conference</a> of 2016 on June 1-3 2016 in beautiful Montreal, Canada. This conference is aimed at developers, operators and users to discuss and evolve the open source software project, its functionality and real world operability. Part talks, part workshops, part hackathon, this event will present a great opportunity for attendees and sponsors alike. CloudOps is thrilled to host this conference at its event space, Centre cloud.ca in the heart of the city.</p></div><footer class="row docusaurus-mt-lg"><div class="col text--right"><a aria-label="Read more about Apache CloudStack™ Collab Conference for June 2016" href="/blog/apache_cloudstack_collab_conference_for"><b>Read More</b></a></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><meta itemprop="description" content="Today I sent out two CloudStack-related security advisories: CVE-2015-3251 (related to VM credential exposure) and CVE-2015-3252 (related to VNC authentication). Details about these issues can be found on the CloudStack user and dev mailing lists, as well as on the Full Disclosure and BUGTRAQ security mailing lists."><header><h2 class="title_f1Hy" itemprop="headline"><a itemprop="url" href="/blog/two_late_announced_security_advisories">Two late-announced security advisories</a></h2><div class="container_mt6G margin-vert--md"><time datetime="2016-02-05T00:00:00.000Z" itemprop="datePublished">February 5, 2016</time></div></header><div class="markdown" itemprop="articleBody"><p>Today I sent out two CloudStack-related security advisories: CVE-2015-3251 (related to VM credential exposure) and CVE-2015-3252 (related to VNC authentication). Details about these issues can be found on the CloudStack user and dev mailing lists, as well as on the Full Disclosure and BUGTRAQ security mailing lists.</p></div><footer class="row docusaurus-mt-lg"><div class="col text--right"><a aria-label="Read more about Two late-announced security advisories" href="/blog/two_late_announced_security_advisories"><b>Read More</b></a></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><meta itemprop="description" content="The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today the availability of Apache™ CloudStack™ v4.6, the turnkey Open Source cloud computing software platform used for creating private-, public-, and hybrid cloud environments."><header><h2 class="title_f1Hy" itemprop="headline"><a itemprop="url" href="/blog/apache_cloudstack_4_6_is">Apache CloudStack 4.6 is released</a></h2><div class="container_mt6G margin-vert--md"><time datetime="2015-12-02T00:00:00.000Z" itemprop="datePublished">December 2, 2015</time></div></header><div class="markdown" itemprop="articleBody"><p>The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today the availability of Apache™ CloudStack™ v4.6, the turnkey Open Source cloud computing software platform used for creating private-, public-, and hybrid cloud environments.</p><p>Apache CloudStack clouds enable billions of dollars' worth of business transactions annually across their clouds, and its maturity and stability has led it to has become the Open Source platform for many service providers to set up on-demand, elastic public cloud computing services, as well as enterprises and others to set up a private or hybrid cloud for use by their own employees.</p><p>"This 4.6 release of Apache CloudStack marks a significant shift in how we release CloudStack," said Sebastien Goasguen, Vice President of Apache CloudStack. "With a focus on quality and speed of releasing software, we implemented a new release workflow which allows us to have a production-ready release branch all the time, and allows us to quickly release new features. From now on, CloudStack will be released much faster without regression and with increased quality in each version."</p><p>Recognized as the Cloud orchestration platform that "just works", CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources.</p><b><p>Under the Hood</p></b><p>CloudStack v4.6 reflects dozens of new features and improvements, including:</p><ul><li>NuageVsp Network Plugin</li><li>Bind integration with Globo DNSAPI</li><li>SAML 2.0 Plugin</li><li>Managed storage for KVM</li><li>Improved CloudByte Storage Plugin</li><li>Use SSH for commands sent to Virtual-Router</li><li>Baremetal Advanced Networking Support</li><li>Instance Password Generation length can now be changed</li></ul><p>A complete overview of all new enhancements are detailed in the project <a href="http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/4.6.0/index.html" target="_blank" rel="noopener noreferrer">release notes</a></p><p>CloudStack v4.6 reflects more than <a href="http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/4.6.0/fixed_issues.html" target="_blank" rel="noopener noreferrer">200 bug fixes</a> from previous releases.</p><p>Apache CloudStack is in use/production at thousands of organizations worldwide that includes BIT.Group GmbH, BT Cloud, China Telecom, CloudOps, DATACENTER Services, DataCentrix, Datapipe, EVRY, Exaserve, Exoscale, IDC Frontier, iKoula, Imperial College, INRIA, KDDI, Korea Telecom, LeaseWeb, M5 Hosting Inc., Melbourne University, Reliable Networks, Redbridge, SafeSwiss Cloud, Schuberg Philis, ShapeBlue, Tranquil Hosting, Trader Media Group, University of Cologne, and the University of Sao Paulo, among others.</p><p>"With the 4.6 release the Apache CloudStack continues to mature adding important new functionality that will benefit CloudCentral's customers," said Kristoffer Sheather, Founder & Chief of Australian cloud services provider CloudCentral, who have been using Apache CloudStack since 2010. "The new Redundant Routers for Virtual Private Cloud (VPC) networks feature will ensure continuous availability of customer VPC networks, and Browser Based Template & Volume Upload will make it easier for our customers to import and use their choice of operating system ISO images and import VM templates from other cloud systems."</p><p>"CloudOps is very excited about the release of Apache CloudStack 4.6, which represents significant improvements in feature set and quality," said Ian Rae, CEO of CloudOps. "We are proud of our involvement in this landmark release and look forward to supporting our customers achieve operational success in upgrading to and operating clouds based on this release. Apache CloudStack is the best kept secret in open source cloud computing and has a global user base of cloud operators many of whom contribute to the project."</p><p>"The 4.6 release of Apache CloudStack brings new features and fixes bugs which are critical for our Aurora cloud offering at PCextreme," said Wido den Hollander, CEO of PCextreme. "We've worked hard with the community to get 4.6 released. The committers working at PCextreme resolved multiple issues and also introduced new features in CloudStack including a new StatsCollector output to Graphite and better support for CEPH. This new release allows us to grow our cloud even further."</p><p>"I'm very excited with launch of the Apache CloudStack version 4.6," said Cyrano Rizzo, CIO of the University of Sao-Paulo. "This version brought many new features and benefits, such as the case in resilience with the new redundant router for VPC, the capability to rapid deployment, demo and test to run the Apache CloudStack inside Docker that will speed the growth, the possibility to manage the resources with Graphite, the ease of upload templates and volumes, among many others, this version also brought many improvements, I'm very happy with one in particular that makes SAML plugin to production grade, this functionality is helping me to build a huge project called interCloud that intend to federate many public universities across the Brazil with Single Sign On."</p><p><b>Get Involved!</b></p><p>Apache CloudStack welcomes contribution and community participation through mailing lists as well as attending face-to-face MeetUps, developer trainings, and user events. Catch Apache CloudStack in action at the next <a href="https://www.eventbrite.co.uk/e/cloudstack-european-user-group-tickets-19726408218" target="_blank" rel="noopener noreferrer">CloudStack European User Group on 3 March 2016 in London</a></p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_jXut padding--none margin-left--sm"><li class="tag_QGVx"><a class="tag_zVej tagRegular_sFm0" href="/blog/tags/announcement">announcement</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><meta itemprop="description" content="Updated July 11th, 2015:"><header><h2 class="title_f1Hy" itemprop="headline"><a itemprop="url" href="/blog/cloudstack_and_openssl_cve_2015">CloudStack and OpenSSL CVE-2015-1793</a></h2><div class="container_mt6G margin-vert--md"><time datetime="2015-07-10T00:00:00.000Z" itemprop="datePublished">July 10, 2015</time></div></header><div class="markdown" itemprop="articleBody"><b>Updated July 11th, 2015:</b><p>After reviewing CloudStack components and seeing <a href="https://security-tracker.debian.org/tracker/CVE-2015-1793" target="_blank" rel="noopener noreferrer">Debian's advisory</a> on CVE-2015-1793 (CloudStack's "system VM" is Debian based), it looks like CloudStack is not affected by this vulnerability.</p><p>Original post follows...</p><p>On the 9th of July, the OpenSSL project announced a high severity vulnerability within the OpenSSL library. While this particular vulnerability does not seem to affect SSL servers, there are security issues with SSL clients powered by OpenSSL. Because of this, we suspect there may be issues with parts of CloudStack which initiate SSL connections.</p><p>At this point we are still reviewing which particular versions of OpenSSL are used by different versions of CloudStack. Once this review is complete, we will further update the community and this post as to our next steps.</p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_jXut padding--none margin-left--sm"><li class="tag_QGVx"><a class="tag_zVej tagRegular_sFm0" href="/blog/tags/announcement">announcement</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><meta itemprop="description" content="UPDATE: mitigation instructions have been improved (don't update openswan) and we forgot to mention rebooting."><header><h2 class="title_f1Hy" itemprop="headline"><a itemprop="url" href="/blog/cloudstack_and_the_ghost_glibc">CloudStack and the "Ghost" glibc vulnerability</a></h2><div class="container_mt6G margin-vert--md"><time datetime="2015-01-28T00:00:00.000Z" itemprop="datePublished">January 28, 2015</time></div></header><div class="markdown" itemprop="articleBody"><b>UPDATE: mitigation instructions have been improved (don't update openswan) and we forgot to mention rebooting.</b><br><b>UPDATE: Links to updated System VM templates are now below</b><br><br><p>Yesterday, a buffer overflow vulnerability was announced in glibc that affects most current Linux distributions. In CloudStack, the system VMs contain a vulnerable version of glibc. </p><p>CloudStack community members have built an updated system VM template, which ShapeBlue is hosting at <a href="http://packages.shapeblue.com/systemvmtemplate/" target="_blank" rel="noopener noreferrer">http://packages.shapeblue.com/systemvmtemplate/</a> (More information on the packages at <a href="http://shapeblue.com/packages" target="_blank" rel="noopener noreferrer">http://shapeblue.com/packages</a>). </p><p>For instructions on how to update the SystemVM template in CloudStack, see <a href="http://support.citrix.com/article/CTX200024" target="_blank" rel="noopener noreferrer">here</a>.</p><p>For those who wish to patch their running system VMs, ssh into each one and run:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token plain">apt-mark hold openswan apt-get clean apt-get update && apt-get upgrade</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>After updating glibc, the system will need to be rebooted.</p><p>Information about how to connect to your System VMs is available <a href="https://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.2.0/html/Admin_Guide/accessing-system-vms.html" target="_blank" rel="noopener noreferrer">here</a>.</p><h2>Other CloudStack-related systems may be affected!</h2><p>Please review security updates from Linux distributions you use on your management server, storage systems, hypervisors, as well as other Linux VMs and bare-metal systems running in your environments. <a href="http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/" target="_blank" rel="noopener noreferrer">This post</a> provides instructions for determining if a system is vulnerable, as well as patching directions for common Linux distributions.</p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_jXut padding--none margin-left--sm"><li class="tag_QGVx"><a class="tag_zVej tagRegular_sFm0" href="/blog/tags/announcement">announcement</a></li></ul></div></footer></article><nav class="pagination-nav" aria-label="Blog list page navigation"><a class="pagination-nav__link pagination-nav__link--prev" href="/blog/page/8"><div class="pagination-nav__label">Newer Entries</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/blog/page/10"><div class="pagination-nav__label">Older Entries</div></a></nav></main></div></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="margin-bottom--sm"><a href="https://cloudstack.apache.org/" rel="noopener noreferrer" class="footerLogoLink_BH7S"><img src="/img/ACS_logo_slogan.svg" alt="Apache CloudStack logo" class="themedImage_ToTc themedImage--light_HNdA footer__logo"><img src="/img/ACS_logo_slogan.svg" alt="Apache CloudStack logo" class="themedImage_ToTc themedImage--dark_i4oU footer__logo"></a></div><div class="footer__copyright"> |
