You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by bu...@apache.org on 2013/12/31 15:24:38 UTC

svn commit: r892272 - in /websites/staging/libcloud/trunk/content: ./ security.html

Author: buildbot
Date: Tue Dec 31 14:24:37 2013
New Revision: 892272

Log:
Staging update by buildbot for libcloud

Modified:
    websites/staging/libcloud/trunk/content/   (props changed)
    websites/staging/libcloud/trunk/content/security.html

Propchange: websites/staging/libcloud/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Dec 31 14:24:37 2013
@@ -1 +1 @@
-1554516
+1554517

Modified: websites/staging/libcloud/trunk/content/security.html
==============================================================================
--- websites/staging/libcloud/trunk/content/security.html (original)
+++ websites/staging/libcloud/trunk/content/security.html Tue Dec 31 14:24:37 2013
@@ -104,6 +104,25 @@
     <div id="main" class="span-16 last">
       
       <h2 id="libcloud-vulnerabilities">Libcloud Vulnerabilities</h2>
+<h3 id="cve-2013-6480-libcloud-doesnt-send-scrub_data-query-parameter-when-destroying-a-digitalocean-node">[CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node</h3>
+<p><strong>Severity</strong>: Low<br />
+<strong>Affected Versions</strong>: Apache Libcloud <strong>0.12.3</strong> to <strong>0.13.3</strong> (version prior
+to 0.12.3 don't include a DigitalOcean driver)<br />
+<strong>Description</strong>:</p>
+<p>DigitalOcean recently changed the default API behavior from scrub to non-scrub
+when destroying a VM.</p>
+<p>Libcloud doesn't explicitly send "scrub_data" query parameter when destroying a
+node. This means nodes which are destroyed using Libcloud are vulnerable to
+later customers stealing data contained on them.</p>
+<p>Note: Only users who are using DigitalOcean driver are affected by this issue.</p>
+<p>References:</p>
+<ul>
+<li><a href="https://digitalocean.com/blog_posts/transparency-regarding-data-security" rel="nofollow">https://digitalocean.com/blog_posts/transparency-regarding-data-security</a></li>
+<li><a href="https://github.com/fog/fog/issues/2525" rel="nofollow">https://github.com/fog/fog/issues/2525</a></li>
+</ul>
+<p><strong>Mitigation</strong>:</p>
+<p>This vulnerability has been fixed in version 0.13.3. Users who use DigitalOcean
+driver are strongly encouraged to upgrade to this release.</p>
 <h3 id="cve-2012-3446-possible-ssl-mitm-due-to-invalid-regular-expression-used-to-validate-the-target-server-hostname">[CVE-2012-3446] Possible SSL MITM due to invalid regular expression used to validate the target server hostname</h3>
 <p><strong>Severity</strong>: Medium</p>
 <p><strong>Versions Affected</strong>:</p>