Author: tomaz
Date: Tue Dec 31 14:24:27 2013
New Revision: 1554517
URL: http://svn.apache.org/r1554517
Log:
Update old security page.
Modified:
libcloud/site/trunk/content/security.mdtext
Modified: libcloud/site/trunk/content/security.mdtext
URL:
http://svn.apache.org/viewvc/libcloud/site/trunk/content/security.mdtext?rev=1554517&r1=1554516&r2=1554517&view=diff
==============================================================================
--- libcloud/site/trunk/content/security.mdtext (original)
+++ libcloud/site/trunk/content/security.mdtext Tue Dec 31 14:24:27 2013
@@ -2,6 +2,32 @@ title: Security updates and reports
## Libcloud Vulnerabilities
+### [CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when
destroying a DigitalOcean node
+
+**Severity**: Low
+**Affected Versions**: Apache Libcloud **0.12.3** to **0.13.3** (version prior
+to 0.12.3 don't include a DigitalOcean driver)
+**Description**:
+
+DigitalOcean recently changed the default API behavior from scrub to non-scrub
+when destroying a VM.
+
+Libcloud doesn't explicitly send "scrub_data" query parameter when destroying a
+node. This means nodes which are destroyed using Libcloud are vulnerable to
+later customers stealing data contained on them.
+
+Note: Only users who are using DigitalOcean driver are affected by this issue.
+
+References:
+
+* <a
href="https://digitalocean.com/blog_posts/transparency-regarding-data-security";
rel="nofollow">https://digitalocean.com/blog_posts/transparency-regarding-data-security</a>
+* <a href="https://github.com/fog/fog/issues/2525";
rel="nofollow">https://github.com/fog/fog/issues/2525</a>
+
+**Mitigation**:
+
+This vulnerability has been fixed in version 0.13.3. Users who use DigitalOcean
+driver are strongly encouraged to upgrade to this release.
+
### [CVE-2012-3446] Possible SSL MITM due to invalid regular expression used
to validate the target server hostname
**Severity**: Medium
