This is an automated email from the ASF dual-hosted git repository.
dahn pushed a commit to branch staging-site
in repository https://gitbox.apache.org/repos/asf/cloudstack-www.git
The following commit(s) were added to refs/heads/staging-site by this push:
new 298d42874 release 4.19.1.3 (#259)
298d42874 is described below
commit 298d428746d91995ce1f17ea5ad2572a2ed1ab7f
Author: dahn <[email protected]>
AuthorDate: Tue Nov 12 14:15:14 2024 +0100
release 4.19.1.3 (#259)
* CVE-2024-50386
---
.../banner.png | Bin 0 -> 595536 bytes
.../index.md | 69 +++++++++++++++++++++
src/components/Releases/index.tsx | 2 +
src/pages/downloads.mdx | 32 +++++-----
src/pages/index.tsx | 8 +--
5 files changed, 91 insertions(+), 20 deletions(-)
diff --git
a/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/banner.png
b/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/banner.png
new file mode 100644
index 000000000..bfc2de878
Binary files /dev/null and
b/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/banner.png differ
diff --git
a/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/index.md
b/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/index.md
new file mode 100644
index 000000000..af5c67a36
--- /dev/null
+++ b/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/index.md
@@ -0,0 +1,69 @@
+---
+layout: post
+title: "[ADVISORY] Apache CloudStack LTS Security Releases 4.18.2.5 and
4.19.1.3"
+tags: [announcement]
+authors: [gutoveronezi]
+slug: security-release-advisory-4.18.2.5-4.19.1.3
+---
+
+[](/blog/security-release-advisory-4.18.2.5-4.19.1.3)
+
+The Apache CloudStack project announces the release of LTS security releases
[4.18.2.5](https://github.com/apache/cloudstack/releases/tag/4.18.2.5) and
[4.19.1.3](https://github.com/apache/cloudstack/releases/tag/4.19.1.3) that
address the following security issues:
+
+- CVE-2024-50386 (severity 'Important')
+
+<!-- truncate -->
+
+## [CVE-2024-50386](https://www.cve.org/CVERecord?id=CVE-2024-50386): Directly
downloaded templates can be used to abuse KVM-based infrastructure
+
+Account users in Apache CloudStack by default are allowed to register
templates to be downloaded directly to the primary storage for deploying
instances. Due to missing validation checks for KVM-compatible templates in
CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker
that can register templates, can use them to deploy malicious instances on
KVM-based environments and exploit this to gain access to the host filesystems
that could result in the compromise of res [...]
+
+Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or
later, which addresses this issue.
+
+Additionally, all user-registered KVM-compatible templates can be scanned and
checked that they are flat files that should not be using any additional or
unnecessary features. For example, operators can run the following command on
their file-based primary storage(s) and inspect the output. An empty output for
the disk being validated means it has no references to the host filesystems; on
the other hand, if the output for the disk being validated is not empty, it
might indicate a comprom [...]
+
+```
+for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo
"Retrieving file [$file] info. If the output is not empty, that might indicate
a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ;
printf "\n\n"; done
+```
+
+For checking the whole template/volume features of each disk, operators can
run the following command:
+
+```
+for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo
"Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done
+```
+
+## Credits
+
+The CVEs are credited to the following reporters:
+
+- CVE-2024-50386:
+ - Kiran Chavala <[email protected]> (reporter)
+
+## Affected versions:
+
+- CVE-2024-50386:
+ - Apache CloudStack 4.0.0 through 4.18.2.4
+ - Apache CloudStack 4.19.0.0 through 4.19.1.2
+
+## Resolution
+
+Users are recommended to upgrade to version 4.18.2.5, 4.19.1.3 or later, which
addresses this issue. Additionally, users on a version older than 4.19.1.0 are
advised to skip 4.19.1.0 and upgrade to 4.19.1.3 instead.
+
+## Downloads and Documentation
+
+The official source code for the 4.18.2.5 and 4.19.1.3 releases can be
downloaded from the project downloads page:
+
+https://cloudstack.apache.org/downloads
+
+The 4.18.2.5 and 4.19.1.3 release notes can be found at:
+- https://docs.cloudstack.apache.org/en/4.18.2.5/releasenotes/about.html
+- https://docs.cloudstack.apache.org/en/4.19.1.3/releasenotes/about.html
+
+In addition to the official source code release, individual contributors have
also made release packages available on the Apache CloudStack download page,
and available at:
+
+- https://download.cloudstack.org/el/7/
+- https://download.cloudstack.org/el/8/
+- https://download.cloudstack.org/el/9/
+- https://download.cloudstack.org/suse/15/
+- https://download.cloudstack.org/ubuntu/dists/
+- https://www.shapeblue.com/cloudstack-packages/
diff --git a/src/components/Releases/index.tsx
b/src/components/Releases/index.tsx
index d82d897bd..190efc703 100644
--- a/src/components/Releases/index.tsx
+++ b/src/components/Releases/index.tsx
@@ -1,12 +1,14 @@
import React from "react";
const versions = [
+ '4.19.1.3',
'4.19.1.2',
'4.19.1.1',
'4.19.1.0',
'4.19.0.2',
'4.19.0.1',
'4.19.0.0',
+ '4.18.2.5',
'4.18.2.4',
'4.18.2.3',
'4.18.2.2',
diff --git a/src/pages/downloads.mdx b/src/pages/downloads.mdx
index 8ff6b0fff..c30263d88 100644
--- a/src/pages/downloads.mdx
+++ b/src/pages/downloads.mdx
@@ -18,42 +18,42 @@ releases](https://github.com/apache/cloudstack/releases).
### Source Releases
-Apache CloudStack's most recent release is `4.19.1.2`. This is current
+Apache CloudStack's most recent release is `4.19.1.3`. This is current
CloudStack LTS release.
-<a className="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.1.2/apache-cloudstack-4.19.1.2-src.tar.bz2";>Get
the 4.19.1.2 Source</a>
+<a className="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.1.3/apache-cloudstack-4.19.1.3-src.tar.bz2";>Get
the 4.19.1.3 Source</a>
<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a>
-<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.2/apache-cloudstack-4.19.1.2-src.tar.bz2.asc";>PGP</a>
-<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.2/apache-cloudstack-4.19.1.2-src.tar.bz2.sha512";>SHA512</a>
+<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.3/apache-cloudstack-4.19.1.3-src.tar.bz2.asc";>PGP</a>
+<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.3/apache-cloudstack-4.19.1.3-src.tar.bz2.sha512";>SHA512</a>
<br/><br/>
-Full release notes can be found in the version [4.19.1.2 Release
-Notes](https://docs.cloudstack.apache.org/en/4.19.1.2/releasenotes/) website.
+Full release notes can be found in the version [4.19.1.3 Release
+Notes](https://docs.cloudstack.apache.org/en/4.19.1.3/releasenotes/) website.
Instructions for building from source and installing Apache CloudStack can be
found in the [Installation
-Guide](https://docs.cloudstack.apache.org/en/4.19.1.2/installguide/).
+Guide](https://docs.cloudstack.apache.org/en/4.19.1.3/installguide/).
Instructions for building from source and upgrading from a previous version of
-CloudStack to Apache CloudStack 4.19.1.2 can be found in the upgrade section of
+CloudStack to Apache CloudStack 4.19.1.3 can be found in the upgrade section of
the Release Notes (see above).
-The latest CloudStack LTS maintenance release is `4.18.2.4` as part of the
+The latest CloudStack LTS maintenance release is `4.18.2.5` as part of the
previous LTS release.
-<a className="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.4/apache-cloudstack-4.18.2.4-src.tar.bz2";>Get
the 4.18.2.4 Source</a>
+<a className="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.5/apache-cloudstack-4.18.2.5-src.tar.bz2";>Get
the 4.18.2.5 Source</a>
<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a>
-<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.4/apache-cloudstack-4.18.2.4-src.tar.bz2.asc";>PGP</a>
-<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.4/apache-cloudstack-4.18.2.4-src.tar.bz2.sha512";>SHA512</a>
+<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.5/apache-cloudstack-4.18.2.5-src.tar.bz2.asc";>PGP</a>
+<a className="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.5/apache-cloudstack-4.18.2.5-src.tar.bz2.sha512";>SHA512</a>
<br/><br/>
-Full release notes can be found in the version [4.18.2.4 Release
-Notes](https://docs.cloudstack.apache.org/en/4.18.2.4/releasenotes/) website.
+Full release notes can be found in the version [4.18.2.5 Release
+Notes](https://docs.cloudstack.apache.org/en/4.18.2.5/releasenotes/) website.
Instructions for building from source and installing Apache CloudStack can be
found in the [Installation
-Guide](https://docs.cloudstack.apache.org/en/4.18.2.4/installguide/).
+Guide](https://docs.cloudstack.apache.org/en/4.18.2.5/installguide/).
Instructions for building from source and upgrading from a previous version of
-CloudStack to Apache CloudStack 4.18.2.4 can be found in the upgrade section of
+CloudStack to Apache CloudStack 4.18.2.5 can be found in the upgrade section of
the Release Notes (see above).
### Community Packages
diff --git a/src/pages/index.tsx b/src/pages/index.tsx
index 2c84a5e3a..15a879813 100644
--- a/src/pages/index.tsx
+++ b/src/pages/index.tsx
@@ -26,8 +26,8 @@ Apache CloudStack™ is an open-source software system
designed to deploy and m
<div className="center-buttons">
<a href="downloads" className="btn btn-light
btn-size">Download</a>
- <a href="https://docs.cloudstack.apache.org/en/4.19.1.2/";
target="_blank" className="btn btn-outline-light btn-size">Documentation</a>
- <p className="small mt-3">Apache CloudStack 4.19.1.2 is out!</p>
+ <a href="https://docs.cloudstack.apache.org/en/4.19.1.3/";
target="_blank" className="btn btn-outline-light btn-size">Documentation</a>
+ <p className="small mt-3">Apache CloudStack 4.19.1.3 is out!</p>
</div>
</div>
<div className="col-lg-7"><img
src="/img/CloudStack_monkey_cloud.png" className="img-fluid" alt=""/></div>
@@ -219,10 +219,10 @@ specific infrastructure.
<div className="col col-lg-5">
<h2 className="section-title mb-4 margin-second">Latest
Release</h2>
<div className="center-buttons">
- <p className="px18">Apache CloudStack 4.19.1.2 is
out!<br/>This is the latest LTS release.</p>
+ <p className="px18">Apache CloudStack 4.19.1.3 is
out!<br/>This is the latest LTS release.</p>
<a href="downloads" className="btn btn-primary
btn-size">Download</a>
- <a href="https://docs.cloudstack.apache.org/en/4.19.1.2/";
target="_blank" className="btn btn-outline-secondary btn-size">Documentation</a>
+ <a href="https://docs.cloudstack.apache.org/en/4.19.1.3/";
target="_blank" className="btn btn-outline-secondary btn-size">Documentation</a>
</div>
</div>
<div className="col-lg-7"><img
src="/img/CloudStack_release_illustration.png" className="img-fluid
img-release" alt=""/></div>
