This is an automated email from the ASF dual-hosted git repository.
gutoveronezi pushed a commit to branch staging-site
in repository https://gitbox.apache.org/repos/asf/cloudstack-www.git
The following commit(s) were added to refs/heads/staging-site by this push:
new 50c94e7b5 Release 4.18.2.4-4.19.1.2
50c94e7b5 is described below
commit 50c94e7b56504a0eef01b4bf3b4670f44c27bc8c
Author: Daniel Augusto Veronezi Salvador <[email protected]>
AuthorDate: Tue Oct 15 11:17:29 2024 -0300
Release 4.18.2.4-4.19.1.2
---
.../banner.png | Bin 0 -> 259777 bytes
.../index.md | 117 +++++++++++++++++++++
blog/authors.yml | 6 ++
src/components/Releases/index.tsx | 2 +
src/pages/downloads.mdx | 32 +++---
src/pages/index.tsx | 8 +-
6 files changed, 145 insertions(+), 20 deletions(-)
diff --git
a/blog/2024-10-15-security-release-advisory-4.18.2.4-4.19.1.2/banner.png
b/blog/2024-10-15-security-release-advisory-4.18.2.4-4.19.1.2/banner.png
new file mode 100644
index 000000000..6d883416f
Binary files /dev/null and
b/blog/2024-10-15-security-release-advisory-4.18.2.4-4.19.1.2/banner.png differ
diff --git
a/blog/2024-10-15-security-release-advisory-4.18.2.4-4.19.1.2/index.md
b/blog/2024-10-15-security-release-advisory-4.18.2.4-4.19.1.2/index.md
new file mode 100644
index 000000000..97674fda2
--- /dev/null
+++ b/blog/2024-10-15-security-release-advisory-4.18.2.4-4.19.1.2/index.md
@@ -0,0 +1,117 @@
+---
+layout: post
+title: "[ADVISORY] Apache CloudStack LTS Security Releases 4.18.2.4 and
4.19.1.2"
+tags: [announcement]
+authors: [gutoveronezi]
+slug: security-release-advisory-4.18.2.4-4.19.1.2
+---
+
+[](/blog/security-release-advisory-4.18.2.4-4.19.1.2)
+
+The Apache CloudStack project announces the release of LTS security releases
[4.18.2.4](https://github.com/apache/cloudstack/releases/tag/4.18.2.4) and
[4.19.1.2](https://github.com/apache/cloudstack/releases/tag/4.19.1.2) that
address the following security issues:
+
+- CVE-2024-45219 (severity 'Important')
+- CVE-2024-45461 (severity 'Moderate')
+- CVE-2024-45462 (severity 'Moderate')
+- CVE-2024-45693 (severity 'Important')
+
+## [CVE-2024-45219](https://www.cve.org/CVERecord?id=CVE-2024-45219): Uploaded
and registered templates and volumes can be used to abuse KVM-based
infrastructure
+
+Account users in Apache CloudStack by default are allowed to upload and
register templates for deploying instances and volumes for attaching them as
data disks to their existing instances. Due to missing validation checks for
KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and
4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates
and volumes, can use them to deploy malicious instances or attach uploaded
volumes to their existing instances o [...]
+
+Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or
later, which addresses this issue.
+
+Additionally, all user-uploaded or registered KVM-compatible templates and
volumes can be scanned and checked that they are flat files that should not be
using any additional or unnecessary features. For example, operators can run
this on their secondary storage(s) and inspect output. An empty output for the
disk being validated means it has no references to the host filesystems; on the
other hand, if the output for the disk being validated is not empty, it might
indicate a compromised disk.
+
+```
+for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo
"Retrieving file [$file] info. If the output is not empty, that might indicate
a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ;
printf "\n\n"; done
+```
+
+The command can also be run for the file-based primary storages; however, bear
in mind that (i) volumes created from templates will have references for the
templates at first and (ii) volumes can be consolidated while migrating, losing
their references to the templates. Therefore, the command execution for the
primary storages can show both false positives and false negatives.
+
+For checking the whole template/volume features of each disk, operators can
run the following command:
+
+```
+for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo
"Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done
+```
+
+
+## [CVE-2024-45461](https://www.cve.org/CVERecord?id=CVE-2024-45461): Access
checks not enforced in Quota
+
+The CloudStack Quota feature allows cloud administrators to implement a quota
or usage limit system for cloud resources, and is disabled by default. In
environments where the feature is enabled, due to missing access check
enforcements, non-administrative CloudStack user accounts are able to access
and modify quota-related configurations and data. This issue affects Apache
CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1,
where the Quota feature is enabled.
+
+Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or
later, which addresses this issue. Alternatively, users that do not use the
Quota feature are advised to disabled the plugin by setting the global setting
"quota.enable.service" to "false".
+
+## [CVE-2024-45462](https://www.cve.org/CVERecord?id=CVE-2024-45462):
Incomplete session invalidation on web interface logout
+
+The logout operation in the CloudStack web interface does not expire the user
session completely which is valid until expiry by time or restart of the
backend service. An attacker that has access to a user's browser can use an
unexpired session to gain access to resources owned by the logged out user
account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3;
and from 4.19.0.0 through 4.19.1.1.
+
+Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or
later, which addresses this issue.
+
+## [CVE-2024-45693](https://www.cve.org/CVERecord?id=CVE-2024-45693): Request
origin validation bypass makes account takeover possible
+
+Users logged into the Apache CloudStack's web interface can be tricked to
submit malicious CSRF requests due to missing validation of the origin of the
requests. This can allow an attacker to gain privileges and access to resources
of the authenticated users and may lead to account takeover, disruption,
exposure of sensitive data and compromise integrity of the resources owned by
the user account that are managed by the platform.
+
+This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and
4.19.0.0 through 4.19.1.1
+
+Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or
later, which addresses this issue.
+
+## Credits
+
+The CVEs are credited to the following reporters:
+
+- CVE-2024-45219:
+ - Daniel Augusto Veronezi Salvador (<[email protected]>)
+
+- CVE-2024-45461:
+ - Fabrício Duarte (<[email protected]>)
+
+- CVE-2024-45462:
+ - Arthur Souza
+ - Felipe Olivaes
+
+- CVE-2024-45693:
+ - Arthur Souza
+ - Felipe Olivaes
+
+## Affected versions:
+
+
+- CVE-2024-45219:
+ - Apache CloudStack 4.0.0 through 4.18.2.3
+ - Apache CloudStack 4.0.0 through 4.19.1.1
+
+- CVE-2024-45461:
+ - Apache CloudStack 4.7.0 through 4.18.2.3
+ - Apache CloudStack 4.7.0 through 4.19.1.1
+
+- CVE-2024-45462:
+ - Apache CloudStack 4.15.1.0 through 4.18.2.3
+ - Apache CloudStack 4.15.1.0 through 4.19.1.1
+
+- CVE-2024-45693:
+ - Apache CloudStack 4.15.1.0 through 4.18.2.3
+ - Apache CloudStack 4.15.1.0 through 4.19.1.1
+
+## Resolution
+
+Users are recommended to upgrade to version 4.18.2.4, 4.19.1.2 or later, which
addresses these issues. Additionally, users on a version older than 4.19.1.0
are advised to skip 4.19.1.0 and upgrade to 4.19.1.2 instead.
+
+## Downloads and Documentation
+
+The official source code for the 4.18.2.4 and 4.19.1.2 releases can be
downloaded from the project downloads page:
+
+https://cloudstack.apache.org/downloads
+
+The 4.18.2.4 and 4.19.1.2 release notes can be found at:
+- https://docs.cloudstack.apache.org/en/4.18.2.4/releasenotes/about.html
+- https://docs.cloudstack.apache.org/en/4.19.1.2/releasenotes/about.html
+
+In addition to the official source code release, individual contributors have
also made release packages available on the Apache CloudStack download page,
and available at:
+
+- https://download.cloudstack.org/el/7/
+- https://download.cloudstack.org/el/8/
+- https://download.cloudstack.org/el/9/
+- https://download.cloudstack.org/suse/15/
+- https://download.cloudstack.org/ubuntu/dists/
+- https://www.shapeblue.com/cloudstack-packages/
diff --git a/blog/authors.yml b/blog/authors.yml
index d8a6c18e6..413504779 100644
--- a/blog/authors.yml
+++ b/blog/authors.yml
@@ -39,3 +39,9 @@ nicolas:
title: PMC Member
url: https://github.com/nvazquez
image_url: https://github.com/nvazquez.png
+
+gutoveronezi:
+ name: Daniel Augusto Veronezi Salvador
+ title: PMC Member
+ url: https://github.com/gutoveronezi
+ image_url: https://github.com/gutoveronezi.png
diff --git a/src/components/Releases/index.tsx
b/src/components/Releases/index.tsx
index 84a2f847c..d82d897bd 100644
--- a/src/components/Releases/index.tsx
+++ b/src/components/Releases/index.tsx
@@ -1,11 +1,13 @@
import React from "react";
const versions = [
+ '4.19.1.2',
'4.19.1.1',
'4.19.1.0',
'4.19.0.2',
'4.19.0.1',
'4.19.0.0',
+ '4.18.2.4',
'4.18.2.3',
'4.18.2.2',
'4.18.2.1',
diff --git a/src/pages/downloads.mdx b/src/pages/downloads.mdx
index be478fc5c..8ff6b0fff 100644
--- a/src/pages/downloads.mdx
+++ b/src/pages/downloads.mdx
@@ -18,42 +18,42 @@ releases](https://github.com/apache/cloudstack/releases).
### Source Releases
-Apache CloudStack's most recent release is `4.19.1.1`. This is current
+Apache CloudStack's most recent release is `4.19.1.2`. This is current
CloudStack LTS release.
-<a className="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.1.1/apache-cloudstack-4.19.1.1-src.tar.bz2";>Get
the 4.19.1.1 Source</a>
+<a className="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.1.2/apache-cloudstack-4.19.1.2-src.tar.bz2";>Get
the 4.19.1.2 Source</a>
<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a>
-<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.1/apache-cloudstack-4.19.1.1-src.tar.bz2.asc";>PGP</a>
-<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.1/apache-cloudstack-4.19.1.1-src.tar.bz2.sha512";>SHA512</a>
+<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.2/apache-cloudstack-4.19.1.2-src.tar.bz2.asc";>PGP</a>
+<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.2/apache-cloudstack-4.19.1.2-src.tar.bz2.sha512";>SHA512</a>
<br/><br/>
-Full release notes can be found in the version [4.19.1.1 Release
-Notes](https://docs.cloudstack.apache.org/en/4.19.1.1/releasenotes/) website.
+Full release notes can be found in the version [4.19.1.2 Release
+Notes](https://docs.cloudstack.apache.org/en/4.19.1.2/releasenotes/) website.
Instructions for building from source and installing Apache CloudStack can be
found in the [Installation
-Guide](https://docs.cloudstack.apache.org/en/4.19.1.1/installguide/).
+Guide](https://docs.cloudstack.apache.org/en/4.19.1.2/installguide/).
Instructions for building from source and upgrading from a previous version of
-CloudStack to Apache CloudStack 4.19.1.1 can be found in the upgrade section of
+CloudStack to Apache CloudStack 4.19.1.2 can be found in the upgrade section of
the Release Notes (see above).
-The latest CloudStack LTS maintenance release is `4.18.2.3` as part of the
+The latest CloudStack LTS maintenance release is `4.18.2.4` as part of the
previous LTS release.
-<a className="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.3/apache-cloudstack-4.18.2.3-src.tar.bz2";>Get
the 4.18.2.3 Source</a>
+<a className="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.4/apache-cloudstack-4.18.2.4-src.tar.bz2";>Get
the 4.18.2.4 Source</a>
<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a>
-<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.3/apache-cloudstack-4.18.2.3-src.tar.bz2.asc";>PGP</a>
-<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.3/apache-cloudstack-4.18.2.3-src.tar.bz2.sha512";>SHA512</a>
+<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.4/apache-cloudstack-4.18.2.4-src.tar.bz2.asc";>PGP</a>
+<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.4/apache-cloudstack-4.18.2.4-src.tar.bz2.sha512";>SHA512</a>
<br/><br/>
-Full release notes can be found in the version [4.18.2.3 Release
-Notes](https://docs.cloudstack.apache.org/en/4.18.2.3/releasenotes/) website.
+Full release notes can be found in the version [4.18.2.4 Release
+Notes](https://docs.cloudstack.apache.org/en/4.18.2.4/releasenotes/) website.
Instructions for building from source and installing Apache CloudStack can be
found in the [Installation
-Guide](https://docs.cloudstack.apache.org/en/4.18.2.3/installguide/).
+Guide](https://docs.cloudstack.apache.org/en/4.18.2.4/installguide/).
Instructions for building from source and upgrading from a previous version of
-CloudStack to Apache CloudStack 4.18.2.3 can be found in the upgrade section of
+CloudStack to Apache CloudStack 4.18.2.4 can be found in the upgrade section of
the Release Notes (see above).
### Community Packages
diff --git a/src/pages/index.tsx b/src/pages/index.tsx
index 1185b5001..2c84a5e3a 100644
--- a/src/pages/index.tsx
+++ b/src/pages/index.tsx
@@ -26,8 +26,8 @@ Apache CloudStack™ is an open-source software system
designed to deploy and m
<div className="center-buttons">
<a href="downloads" className="btn btn-light
btn-size">Download</a>
- <a href="https://docs.cloudstack.apache.org/en/4.19.1.1/";
target="_blank" className="btn btn-outline-light btn-size">Documentation</a>
- <p className="small mt-3">Apache CloudStack 4.19.1.1 is out!</p>
+ <a href="https://docs.cloudstack.apache.org/en/4.19.1.2/";
target="_blank" className="btn btn-outline-light btn-size">Documentation</a>
+ <p className="small mt-3">Apache CloudStack 4.19.1.2 is out!</p>
</div>
</div>
<div className="col-lg-7"><img
src="/img/CloudStack_monkey_cloud.png" className="img-fluid" alt=""/></div>
@@ -219,10 +219,10 @@ specific infrastructure.
<div className="col col-lg-5">
<h2 className="section-title mb-4 margin-second">Latest
Release</h2>
<div className="center-buttons">
- <p className="px18">Apache CloudStack 4.19.1.1 is
out!<br/>This is the latest LTS release.</p>
+ <p className="px18">Apache CloudStack 4.19.1.2 is
out!<br/>This is the latest LTS release.</p>
<a href="downloads" className="btn btn-primary
btn-size">Download</a>
- <a href="https://docs.cloudstack.apache.org/en/4.19.1.1/";
target="_blank" className="btn btn-outline-secondary btn-size">Documentation</a>
+ <a href="https://docs.cloudstack.apache.org/en/4.19.1.2/";
target="_blank" className="btn btn-outline-secondary btn-size">Documentation</a>
</div>
</div>
<div className="col-lg-7"><img
src="/img/CloudStack_release_illustration.png" className="img-fluid
img-release" alt=""/></div>
