You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@libcloud.apache.org by to...@apache.org on 2013/12/31 14:28:44 UTC

svn commit: r1554509 - /libcloud/site/trunk/source/security.md

Author: tomaz
Date: Tue Dec 31 13:28:43 2013
New Revision: 1554509

URL: http://svn.apache.org/r1554509
Log:
Add info about DigitalOcean vulnerability to the security page.

Modified:
    libcloud/site/trunk/source/security.md

Modified: libcloud/site/trunk/source/security.md
URL: http://svn.apache.org/viewvc/libcloud/site/trunk/source/security.md?rev=1554509&r1=1554508&r2=1554509&view=diff
==============================================================================
--- libcloud/site/trunk/source/security.md (original)
+++ libcloud/site/trunk/source/security.md Tue Dec 31 13:28:43 2013
@@ -8,6 +8,32 @@ description: See a list of known vulnera
 
 <a name="security-vulnerabilities" id="security-vulnerabilities"><h2 class="anchor">Security Vulnerabilities</h2></a>
 
+<a name="CVE-2013-6480"><h3 class="anchor">[CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node</h3></a>
+
+**Severity**: Low  
+**Affected Versions**: Apache Libcloud **0.12.3** to **0.13.3** (version prior
+to 0.12.3 don't include a DigitalOcean driver)  
+**Description**:
+
+DigitalOcean recently changed the default API behavior from scrub to non-scrub
+when destroying a VM.
+
+Libcloud doesn't explicitly send "scrub_data" query parameter when destroying a
+node. This means nodes which are destroyed using Libcloud are vulnerable to
+later customers stealing data contained on them.
+
+Note: Only users who are using DigitalOcean driver are affected by this.
+
+References:
+
+* <a href="https://digitalocean.com/blog_posts/transparency-regarding-data-security" rel="nofollow">https://digitalocean.com/blog_posts/transparency-regarding-data-security</a>
+* <a href="https://github.com/fog/fog/issues/2525" rel="nofollow">https://github.com/fog/fog/issues/2525</a>
+
+**Mitigation**:
+
+This vulnerability has been fixed in version 0.13.3. Users who use DigitalOcean
+driver are strongly encouraged to upgrade to this release.
+
 <a name="CVE-2012-3446"><h3 class="anchor">[CVE-2012-3446] Possible SSL MITM due to invalid regular expression used to validate the target server hostname</h3></a>
 
 **Severity**: Medium