The Apache CloudStack Blog

Friday Jan 10, 2014

[CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Bypass
Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1, 4.2.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 2.8 (AV:N/AC:M/Au:M/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in the Apache CloudStack virtual router that failed to preserve source restrictions in firewall rules after a virtual router had been stopped and restarted.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5263

Credit:

This issue was identified by the Cloud team at Schuberg Philis

[CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Information Disclosure
Vulnerable Versions: Apache CloudStack 4.2.0
CVE References: CVE-2014-0031
Risk Level: Low
CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in Apache CloudStack which permits an authenticated user to list network ACLs for other users.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5145

Credit:

This issue was identified by Marcus Sorensen

Thursday Sep 05, 2013

Apache CloudStack Weekly News - 4 September 2013

Welcome back to another exciting issue of the Apache CloudStack Weekly News. This week, 4.2.0 enters it's fourth round of voting, we welcome several new committers and look at some of the major discussions on the Apache CloudStack mailing lists, and much more.

Major Discussions

4.2 is Now being Voted On

The fourth round of voting is now open on the 4.2 release. This release is full of new features, fixes and thousands of hours of work from everyone in the community. It's important to test and cast your vote on the release. Remember that all members of the community are eligible to cast a vote and note any issues that they have with the current release candidate.

4.2 Issues Closure

Sudha Ponnaganti has throughout the 4.2 put together a list of the the current blocker and critical issues that need to be reviewed. If you have issues that have been resolved please review, test, and close out please.

High Quality Documentation

For some time now there has been discussion around a possible replacement to our current use DocBook for our primary document editor. Sebastien Goasguen started a discussion to look at Markdown by Daring Fireball. With there being concern about how to create and maintain high quality documentation, this is an important thread to participate in for anyone interested in the release documents.

After seeing lots of frustrated people with folks I decided to try something out with markdown.

I used pandoc to convert some docbook files to markdown and I used a structure for a book based on 'The little mongodb' book.
We can generate epub and pdf using latex.

See: link

There are two "books" aimed at being step by step recipes. Not long, not convoluted, single OS, etc…simple step by step.

link
link

I am still sanitizing the installation one based on 4.2 .

Comments, flames ?

CloudStack Planet

Speaking in Tech Podcast - The Register

Aaron Delp joined in as a part of talking cloud and especially CloudStack as part of an interview with The Register and their "Speaking in Tech" podcast series.

Aaron's section on ACS is from 17:45 to 26:00 - http://www.theregister.co.uk/2013/08/01/speaking_in_tech_episode_69/

CloudStack Appliances Released

Ilya Musayev a committer of the ACS project and founder of CloudSands project has recently announced the release of a set of pre-built management server appliances available for open use based off the ACS 4.1.1 code base. There are appliances for VMware, Xen and KVM hypervisors.

Objective: Speed up the Apache CloudStack adoption by abstracting the need of going through install process and using pre-installed package instead. Especially useful for a quick POC.

vSphere:
Short URL: link
Long URL: link

KVM:
Short URL: link
Long URL: link

XEN:
Short URL: link
Full URL: link

Minimum Requirements:
1 CPU x 2 GB of RAM

Testing:

Please spend few minutes on testing these out, you can import it as a template into your ACS - power on and see the details on initial start.
I've tested vSphere and KVM version. I don't have XEN instance to try.

Events

New Committers and PMC Members

  • Ilya Musayev has been invited to join the CloudStack PMC, and has accepted.
  • Vijay Bhamidipati has been invited by the PMC to become a committer and has accepted.
  • Toshiaki Hatano has been invited by the PMC to become a committer and has accepted.
  • Kirk Kosinski has been invited by the PMC to become a committer and has accepted.
  • Ian Duffy has been invited by the PMC to become a committer and has accepted.

Friday Aug 16, 2013

Announcing the CloudStack Collaboration Conference - Europe

With two very successful events in the United Stated we know it is time to bring this conference to Europe. This time we’re gathering the community in The Netherlands. More specific, right in the center of Amsterdam in one of its historical landmarks, the Beurs van Berlage.

Starting November 20th with a hack day and continuing with a two day conference, this will be your opportunity to dive into all things CloudStack. Meet the community, discuss new ideas and learn about existing and upcoming features. We have setup the conference to provide an exciting environment to participate in workshops, attend presentations or just sit back and have a drink with other CloudStack enthusiasts.

The Call for Papers is open right now, so send your abstract to cfp@cloudstackcollab.org. If it’s relevant to Apache CloudStack development, deployment, and integration, we’re interested in what you might have to say. We can accommodate workshops, hack sessions, presentation and we want to work with you to make sure you can share what you want with the community. Check the website for more details, http://www.cloudstackcollab.org/call-for-papers

The conference website http://www.cloudstackcollab.org will be regularly updated with new content to keep you informed about the conference. Please check it regularly to be informed about the latest developments regarding the CloudStack Collaboration Conference Europe.

Important Dates

The Call for Papers will run from today (August 16th) to September 30th. We will send out notifications shortly after closing the the Call for Papers.

The Conference Hack Day will be November 20th

The Conference talks and planned sessions begin on November 21th

The Conference ends on November 22th

Registration

We will announce the registration in a short while, please keep an eye on the website http://www.cloudstackcollab.org/ for more details.

Location

The conference will be at the Beurs van Berlage in Amsterdam, The Netherlands. Located in the city center it is close to quite a number of hotels and hostels in Amsterdam. We are looking at the possibility to make a deal with one of the hotels in the immediate vicinity of the conference location. We will update the conference website when we have the details.

Sponsoring

Sponsoring opportunities are available for the CloudStack Collaboration Conference. At the conference website http://www.cloudstackcollab.org/sponsors some of our sponsors will explain you the benefits in a video message. If you’d like to see the sponsorship prospectus or ask about sponsoring, contact sponsors@cloudstackcollab.org.

We’re very pleased to invite the community to Amsterdam and we hope you’ll join us! See you in Amsterdam!

Thursday Jul 25, 2013

Apache CloudStack Weekly News - 24 July 2013

Welcome back to another exciting issue of the Apache CloudStack Weekly News. This week, we take a look at the progress towards 4.2.0, major discussions on the Apache CloudStack mailing lists, and much more.

[Read More]

Thursday Jul 11, 2013

CloudStack Weekly News - 10 July 2013

The community is busy working on 4.2.0, and there's much to be done before the release is ready. This week, we're taking a look at some of the interesting discussions going on in the the community about the next generation of Apache CloudStack, and functionality we can provide, as well as procedural changes that everyone should be aware of.

[Read More]

Tuesday Jul 02, 2013

Apache CloudStack Weekly News - 1 July 2013

We are half way through the year and a lot of work is done, and lot more is yet to be done. This week we look back at some of the CloudStack Collaboration Conference, work continues on 4.1.1 and 4.2.0, and we have some interesting discussions on how we should release the CloudMonkey and Marvin tools used with CloudStack. There's a by-laws vote underway to look at how and where we decide non-technical issues, and some discussion on the best way to to discuss and do code reviews.

[Read More]

Tuesday Jun 18, 2013

Apache CloudStack Weekly News - 17 June 2013

It's been another busy week for the Apache CloudStack project. This week we welcome another new committer, work continues on 4.1.1 and 4.2.0, and we have some interesting discussions on how we should release the CloudMonkey and Marvin tools used with CloudStack. We've also seen a few interesting marketing discussions, and the community is gearing up for the second CloudStack Collaboration Conference taking place 23 June through 25 June in Santa Clara, CA.

[Read More]

Wednesday Jun 12, 2013

Apache CloudStack Weekly News - 10 June 2013

This week, we take a look at the 4.2.0 feature freeze pushback, the Apache CloudStack user survey, and new committers and PMC members for Apache CloudStack.

[Read More]

Tuesday May 28, 2013

4.1.0 VOTE in Progress: Testers Welcome!

The Apache CloudStack is very near to the 4.1.0 release, and as a result we’re conducting a vote on artifacts for the 4.1.0 release right now. Because we want to make sure we have the best possible release, we’d like to invite anyone who’s interested in CloudStack to take the current release candidate for a test drive. [Read More]

Monday May 13, 2013

Apache CloudStack Weekly News - 13 May 2013

What's new in Apache CloudStack? This issue, we take a look at progress towards the 4.1.0 release, major discussions in the community, and the upcoming CloudStack Collaboration Conference. We also welcome three new committers to the Apache CloudStack project, Clayton Weise, Isaac Chiang, and Phong Nguyen.

As you may have noticed, we skipped the newsletter last week. Apologies about that! This week's newsletter catches up from the beginning of May.

[Read More]

Thursday May 02, 2013

Apache CloudStack Weekly News - 29 April 2013

This week, we had discussions about the release cycle and whether a six-month cycle may be more appropriate. Work continued on the 4.1.0 release, and Apache CloudStack 4.0.2 was released.

[Read More]

Wednesday Apr 24, 2013

Apache CloudStack 4.0.2 Released

The Apache CloudStack project is pleased to announce the 4.0.2 release of the CloudStack Infrastructure-as-a-Service (IaaS) cloud orchestration platform. This is a minor release in the 4.0.0 branch, which contains fixes for 40 bugs.

[Read More]

Tuesday Apr 23, 2013

Apache CloudStack Weekly News - 22 April 2013

This time around, we have two release VOTEs in progress, which means that 4.1.0 is just about out the door. The CloudStack Collaboration Conference 2013 has been announced for June 23rd through 25th. You'll also want to check in on the discussions about the length of the release cycle, Chip Childers and David Nalley appearing on FLOSS Weekly, and much more.

A lot has happened since the last issue of the CloudStack Weekly News, and not just because the community's been busy – we missed getting last week's issue out. Sorry about that! If you'd like to see consistent weekly delivery, check the end of the newsletter to see how you can help.

[Read More]

Tuesday Apr 09, 2013

Apache CloudStack Weekly News - 8 April 2013

The Apache CloudStack community has been heads-down for the last week working out the remaining bugs for the 4.1.0 release. Chatter on the dev@ mailing list has been a little muted, comparatively, but there's still plenty of interest in this week's roundup of major discussions and CloudStack community activity.

This week, we look at the outstanding issues for 4.1.0, a discussion about allowing multiple API names for the same API Cmd object, how to deal with tests that expect no database, and how ticket assignment should work.

[Read More]

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation