You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by to...@apache.org on 2012/08/02 02:23:25 UTC

svn commit: r1368318 - in /libcloud/site/trunk: content/downloads.mdtext content/security.mdtext templates/blocks/other.html

Author: tomaz
Date: Thu Aug  2 00:23:25 2012
New Revision: 1368318

URL: http://svn.apache.org/viewvc?rev=1368318&view=rev
Log:
Add info about 0.11.1 release, update security page.

Modified:
    libcloud/site/trunk/content/downloads.mdtext
    libcloud/site/trunk/content/security.mdtext
    libcloud/site/trunk/templates/blocks/other.html

Modified: libcloud/site/trunk/content/downloads.mdtext
URL: http://svn.apache.org/viewvc/libcloud/site/trunk/content/downloads.mdtext?rev=1368318&r1=1368317&r2=1368318&view=diff
==============================================================================
--- libcloud/site/trunk/content/downloads.mdtext (original)
+++ libcloud/site/trunk/content/downloads.mdtext Thu Aug  2 00:23:25 2012
@@ -3,19 +3,19 @@ title: Downloads
 ## Downloads ##
 
 <ul>
-    <li>0.11.0 - Released July 30th, 2012 (<a href="https://svn.apache.org/viewvc/libcloud/tags/0.11.0/CHANGES?revision=r136489&view=markup">CHANGES</a>):
+    <li>0.11.1 - Released August 1st, 2012:
       <ul>
-        <li><a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.tar.bz2">apache-libcloud-0.11.0.tar.bz2</a>
-            [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.tar.bz2.asc">asc</a>]
-            [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.tar.bz2.sha1">sha1</a>]
-            [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.tar.bz2.md5">md5</a>]
+        <li><a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.tar.bz2">apache-libcloud-0.11.1.tar.bz2</a>
+            [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.tar.bz2.asc">asc</a>]
+            [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.tar.bz2.sha1">sha1</a>]
+            [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.tar.bz2.md5">md5</a>]
         </li>
-        <li><a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.zip">apache-libcloud-0.11.0.zip</a>
-            [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.zip.asc">asc</a>]
-            [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.zip.sha1">sha1</a>]
-            [<a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/apache-libcloud-0.11.0.zip.md5">md5</a>]
+        <li><a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.zip">apache-libcloud-0.11.1.zip</a>
+            [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.zip.asc">asc</a>]
+            [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.zip.sha1">sha1</a>]
+            [<a href="http://www.apache.org/dist/libcloud/apache-libcloud-0.11.1.zip.md5">md5</a>]
         </li>
-          <li>Verify with these public <a href="http://www.apache.org/dyn/closer.cgi?path=libcloud/KEYS">KEYS</a> used by Apache Libcloud developers.</li>
+          <li>Verify with these public <a href="http://www.apache.org/dist/libcloud/KEYS">KEYS</a> used by Apache Libcloud developers.</li>
       </ul>
     </li>
   </ul>
@@ -44,7 +44,7 @@ gpg: next trustdb check due at 2011-10-3
 	  </li>
 	  <li>
 	    Verify package with .asc signature:
-<pre>$ <strong>gpg --verify apache-libcloud-0.11.0.tar.bz2.asc</strong>
+<pre>$ <strong>gpg --verify apache-libcloud-0.11.1.tar.bz2.asc</strong>
 gpg: Signature made Wed Oct  6 15:31:35 2010 CDT using DSA key ID 42721F00
 <span style="color:green">gpg: Good signature from "Paul Querna &lt;...&gt;"
 gpg:                 aka "Paul Querna &lt;...&gt;"
@@ -53,7 +53,7 @@ gpg: WARNING: This key is not certified 
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: 39F6 691A 0ECF 0C50 E8BB  849C F788 75F6 4272 1F00</pre>
             Example bad signature:
-<pre>$ <strong>gpg --verify apache-libcloud-0.11.0.tar.bz2.asc</strong>
+<pre>$ <strong>gpg --verify apache-libcloud-0.11.1.tar.bz2.asc</strong>
 gpg: Signature made Wed Oct  6 15:31:35 2010 CDT using DSA key ID 42721F00
 <span style="color:red">gpg: BAD signature from "Paul Querna &lt;...&gt;"</span></pre>
 	  </li>

Modified: libcloud/site/trunk/content/security.mdtext
URL: http://svn.apache.org/viewvc/libcloud/site/trunk/content/security.mdtext?rev=1368318&r1=1368317&r2=1368318&view=diff
==============================================================================
--- libcloud/site/trunk/content/security.mdtext (original)
+++ libcloud/site/trunk/content/security.mdtext Thu Aug  2 00:23:25 2012
@@ -1,8 +1,38 @@
 title: Security updates and reports
 
-## Libcloud Vulnerabilities ##
+## Libcloud Vulnerabilities
 
-**SSL MITM vulnerability - CVE-2010-4340**
+### [CVE-2012-3446] Possible SSL MITM due to invalid regular expression used to validate the target server hostname
+
+**Severity**: Medium
+
+**Versions Affected**:
+
+Apache Libcloud 0.4.2 to 0.11.1
+
+Versions prior to 0.4.2 don't perform any target server SSL certificate
+validation.
+
+**Description**:
+
+When establishing a secure (SSL / TLS) connection to a target server an
+invalid regular expression has been used for performing the hostname
+verification. Subset instead of the full target server hostname has been
+marked an an acceptable match for the given hostname.
+
+For example, certificate with a hostname field of "aexample.com" was considered
+a valid certificate for domain "example.com".
+
+**Mitigation**:
+
+Users should upgrade to the latest version (0.11.1) which includes a fix.
+
+**Credit**:
+
+This issue was discovered by researchers from the University of Texas at Austin
+(Martin Georgiev, Suman Jana and Vitaly Shmatikov).
+
+### [CVE-2010-4340] SSL MITM vulnerability
 
 **Description**:
 
@@ -19,7 +49,7 @@ This vulnerability has been fixed in the
 to upgrade to this version and set libcloud.security.VERIFY_SSL_CERT variable
 to True.
 
-## Reporting a vulnerability ##
+## Reporting a vulnerability
 
 If you find a security vulnerability you are strongly encouraged to report it to
 our private mailing list: [security@libcloud.apache.org](mailto:security@libcloud.apache.org)

Modified: libcloud/site/trunk/templates/blocks/other.html
URL: http://svn.apache.org/viewvc/libcloud/site/trunk/templates/blocks/other.html?rev=1368318&r1=1368317&r2=1368318&view=diff
==============================================================================
--- libcloud/site/trunk/templates/blocks/other.html (original)
+++ libcloud/site/trunk/templates/blocks/other.html Thu Aug  2 00:23:25 2012
@@ -1,6 +1,6 @@
 <h3>Get it</h3>
 <div id="get-it">
-    Latest stable: <a href="/downloads.html">0.11.0</a> (July 30th, 2012)
+    Latest stable: <a href="/downloads.html">0.11.1</a> (August 1st, 2012)
 </div>
 
 <h3>Need help?</h3>