You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by Rohit Yadav <ro...@apache.org> on 2018/04/03 16:46:57 UTC

[ANNOUNCE][SECURITY] CloudStack 4.9.3.1 Robot TLS attack

All,

On private@ and security@, we discussed and worked on a fix for robot TLS
[1] attack and released CloudStack 4.9.3.1. The issue does not affect the
latest 4.11.0.0 version and does not require any upgrades/fixes/changes in
that regard.

The issue primarily affects installations that are using an older version
of bouncycastle, the only change we did against the 4.9.3.0 release was to
upgrade the bouncycastle dependency version [2] 1.59. Post upgrade to
4.9.3.1 from 4.9.3.0, users will be required to destroy old CPVMs and SSVMs
(new ones will be patched by a newer systemvm.iso that will have the v1.59
bc dependency jar), and upgrade and restart KVM agent(s) and management
server(s).

Download page:
http://cloudstack.apache.org/downloads.html

Release notes for 4.9.3.1:
http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/4.9.3.1/

[1] robotattack.org
[2]
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c

Regards,
Rohit Yadav