You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by to...@apache.org on 2012/08/02 02:23:25 UTC
svn commit: r1368318 - in /libcloud/site/trunk: content/downloads.mdtext
content/security.mdtext templates/blocks/other.html
Author: tomaz
Date: Thu Aug 2 00:23:25 2012
New Revision: 1368318
URL: http://svn.apache.org/viewvc?rev=1368318&view=rev
Log:
Add info about 0.11.1 release, update security page.
Modified:
libcloud/site/trunk/content/downloads.mdtext
libcloud/site/trunk/content/security.mdtext
libcloud/site/trunk/templates/blocks/other.html
Modified: libcloud/site/trunk/content/downloads.mdtext
URL: http://svn.apache.org/viewvc/libcloud/site/trunk/content/downloads.mdtext?rev=1368318&r1=1368317&r2=1368318&view=diff
==============================================================================
--- libcloud/site/trunk/content/downloads.mdtext (original)
+++ libcloud/site/trunk/content/downloads.mdtext Thu Aug 2 00:23:25 2012
@@ -3,19 +3,19 @@ title: Downloads
## Downloads ##
<ul>
- <li>0.11.0 - Released July 30th, 2012 (<a href="https://svn.apache.org/viewvc/libcloud/tags/0.11.0/CHANGES?revision=r136489&view=markup">CHANGES</a>):
+ <li>0.11.1 - Released August 1st, 2012:
<ul>
- <li><a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.tar.bz2">apache-libcloud-0.11.0.tar.bz2</a>
- [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.tar.bz2.asc">asc</a>]
- [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.tar.bz2.sha1">sha1</a>]
- [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.tar.bz2.md5">md5</a>]
+ <li><a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.tar.bz2">apache-libcloud-0.11.1.tar.bz2</a>
+ [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.tar.bz2.asc">asc</a>]
+ [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.tar.bz2.sha1">sha1</a>]
+ [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.tar.bz2.md5">md5</a>]
</li>
- <li><a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.zip">apache-libcloud-0.11.0.zip</a>
- [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.zip.asc">asc</a>]
- [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.zip.sha1">sha1</a>]
- [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.zip.md5">md5</a>]
+ <li><a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.zip">apache-libcloud-0.11.1.zip</a>
+ [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.zip.asc">asc</a>]
+ [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.zip.sha1">sha1</a>]
+ [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.zip.md5">md5</a>]
</li>
- <li>Verify with these public <a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/KEYS">KEYS</a> used by Apache Libcloud developers.</li>
+ <li>Verify with these public <a href="http://www.apache.org/dist/libcloud/KEYS">KEYS</a> used by Apache Libcloud developers.</li>
</ul>
</li>
</ul>
@@ -44,7 +44,7 @@ gpg: next trustdb check due at 2011-10-3
</li>
<li>
Verify package with .asc signature:
-<pre>$ <strong>gpg --verify apache-libcloud-0.11.0.tar.bz2.asc</strong>
+<pre>$ <strong>gpg --verify apache-libcloud-0.11.1.tar.bz2.asc</strong>
gpg: Signature made Wed Oct 6 15:31:35 2010 CDT using DSA key ID 42721F00
<span style="color:green">gpg: Good signature from "Paul Querna <...>"
gpg: aka "Paul Querna <...>"
@@ -53,7 +53,7 @@ gpg: WARNING: This key is not certified
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 39F6 691A 0ECF 0C50 E8BB 849C F788 75F6 4272 1F00</pre>
Example bad signature:
-<pre>$ <strong>gpg --verify apache-libcloud-0.11.0.tar.bz2.asc</strong>
+<pre>$ <strong>gpg --verify apache-libcloud-0.11.1.tar.bz2.asc</strong>
gpg: Signature made Wed Oct 6 15:31:35 2010 CDT using DSA key ID 42721F00
<span style="color:red">gpg: BAD signature from "Paul Querna <...>"</span></pre>
</li>
Modified: libcloud/site/trunk/content/security.mdtext
URL: http://svn.apache.org/viewvc/libcloud/site/trunk/content/security.mdtext?rev=1368318&r1=1368317&r2=1368318&view=diff
==============================================================================
--- libcloud/site/trunk/content/security.mdtext (original)
+++ libcloud/site/trunk/content/security.mdtext Thu Aug 2 00:23:25 2012
@@ -1,8 +1,38 @@
title: Security updates and reports
-## Libcloud Vulnerabilities ##
+## Libcloud Vulnerabilities
-**SSL MITM vulnerability - CVE-2010-4340**
+### [CVE-2012-3446] Possible SSL MITM due to invalid regular expression used to validate the target server hostname
+
+**Severity**: Medium
+
+**Versions Affected**:
+
+Apache Libcloud 0.4.2 to 0.11.1
+
+Versions prior to 0.4.2 don't perform any target server SSL certificate
+validation.
+
+**Description**:
+
+When establishing a secure (SSL / TLS) connection to a target server an
+invalid regular expression has been used for performing the hostname
+verification. Subset instead of the full target server hostname has been
+marked an an acceptable match for the given hostname.
+
+For example, certificate with a hostname field of "aexample.com" was considered
+a valid certificate for domain "example.com".
+
+**Mitigation**:
+
+Users should upgrade to the latest version (0.11.1) which includes a fix.
+
+**Credit**:
+
+This issue was discovered by researchers from the University of Texas at Austin
+(Martin Georgiev, Suman Jana and Vitaly Shmatikov).
+
+### [CVE-2010-4340] SSL MITM vulnerability
**Description**:
@@ -19,7 +49,7 @@ This vulnerability has been fixed in the
to upgrade to this version and set libcloud.security.VERIFY_SSL_CERT variable
to True.
-## Reporting a vulnerability ##
+## Reporting a vulnerability
If you find a security vulnerability you are strongly encouraged to report it to
our private mailing list: [security@libcloud.apache.org](mailto:security@libcloud.apache.org)
Modified: libcloud/site/trunk/templates/blocks/other.html
URL: http://svn.apache.org/viewvc/libcloud/site/trunk/templates/blocks/other.html?rev=1368318&r1=1368317&r2=1368318&view=diff
==============================================================================
--- libcloud/site/trunk/templates/blocks/other.html (original)
+++ libcloud/site/trunk/templates/blocks/other.html Thu Aug 2 00:23:25 2012
@@ -1,6 +1,6 @@
<h3>Get it</h3>
<div id="get-it">
- Latest stable: <a href="/downloads.html">0.11.0</a> (July 30th, 2012)
+ Latest stable: <a href="/downloads.html">0.11.1</a> (August 1st, 2012)
</div>
<h3>Need help?</h3>