You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Tomaz Muraus <to...@apache.org> on 2013/12/31 15:45:20 UTC

[ANNOUNCE] [SECURITY FIX] Apache Libcloud 0.13.3

Libcloud is a Python library that abstracts away the differences among
multiple cloud provider APIs. It allows users to manage cloud services
(servers, storage, load balancers, DNS) offered by many different providers
through a single, unified and easy to use API.

This is a security-fix only release. It fixes a security issue with a
potential
leak of data contained on a destroyed DigitalOcean node. Only users who are
using a DigitalOcean driver are affected.

DigitalOcean recently changed the default API behavior from scrub to
non-scrub
when destroying a VM without notifying the customers and API consumers.

Libcloud prior to this release doesn't explicitly send "scrub_data" query
parameter when destroying a node. This means nodes which are destroyed using
Libcloud are vulnerable to later customers stealing data contained on them.

This release fixes that by always sending "scrub_data" query parameter when
destroying a DigitalOcean node.

If you are using a DigitalOcean driver, you are strongly encouraged to
upgrade
(or downgrade if you are using 0.14.0-beta3 beta release) to this release.

More information is available on our "Security" page -
https://libcloud.apache.org/security.html

Download

Libcloud 0.13.3 can be downloaded from
*http://libcloud.apache.org/downloads.html
<http://libcloud.apache.org/downloads.html>*

or installed using pip:

pip install apache-libcloud==0.13.3

It is possible that the file hasn't been synced to all the mirrors yet. If
this
is the case, please use the main Apache mirror -
https://www.apache.org/dist/libcloud.

Upgrading

If you have installed Libcloud using pip you can also use it to upgrade it:

pip install --upgrade apache-libcloud==0.13.3

Upgrade notes

A page which describes backward incompatible or semi-incompatible
changes and how to preserve the old behavior when this is possible
can be found at
https://libcloud.readthedocs.org/en/latest/upgrade_notes.html

Documentation

Regular and API documentation is available at
https://libcloud.readthedocs.org/en/latest/.

Bugs / Issues

If you find any bug or issue, please report it on our issue tracker
<https://issues.apache.org/jira/browse/LIBCLOUD>.
Don't forget to attach an example and / or test which reproduces your
problem.

Thanks

Thanks to everyone who contributed and made this release possible!

Full list of people who contributed to this release can be found in the
CHANGES
file <
https://git-wip-us.apache.org/repos/asf?p=libcloud.git;a=blob;f=CHANGES;h=a06b0ed4c443f9f56784572a4e291e779de599e3;hb=a1fdac91ec9fdf699d77f9f9b01699de7f56171e#l3
>.

[dev] Re: [ANNOUNCE] [SECURITY FIX] Apache Libcloud 0.13.3

Posted by Tomaz Muraus <to...@apache.org>.

Just a quick update / follow-up.

DigitalOcean updated their blog post[1][2]. The updated post says that
scrubbing is now enabled by default for all the newly issued destroy
requests:

> All Destroys Default to Scrub
> We have updated the destroy method to scrub on all destroys, both for
> web and API requests.

This means that no action is required on the client side and upgrading
to 0.13.3 should not be necessary anymore.

[1]: https://twitter.com/digitalocean/status/418140046265294848
[2]: https://digitalocean.com/blog_posts/transparency-regarding-data-security

On Tue, Dec 31, 2013 at 3:45 PM, Tomaz Muraus <to...@apache.org> wrote:
> Libcloud is a Python library that abstracts away the differences among
> multiple cloud provider APIs. It allows users to manage cloud services
> (servers, storage, load balancers, DNS) offered by many different providers
> through a single, unified and easy to use API.
>
> This is a security-fix only release. It fixes a security issue with a
> potential
> leak of data contained on a destroyed DigitalOcean node. Only users who are
> using a DigitalOcean driver are affected.
>
> DigitalOcean recently changed the default API behavior from scrub to
> non-scrub
> when destroying a VM without notifying the customers and API consumers.
>
> Libcloud prior to this release doesn't explicitly send "scrub_data" query
> parameter when destroying a node. This means nodes which are destroyed using
> Libcloud are vulnerable to later customers stealing data contained on them.
>
> This release fixes that by always sending "scrub_data" query parameter when
> destroying a DigitalOcean node.
>
> If you are using a DigitalOcean driver, you are strongly encouraged to
> upgrade
> (or downgrade if you are using 0.14.0-beta3 beta release) to this release.
>
> More information is available on our "Security" page -
> https://libcloud.apache.org/security.html
>
> Download
>
> Libcloud 0.13.3 can be downloaded from
> http://libcloud.apache.org/downloads.html
>
> or installed using pip:
>
> pip install apache-libcloud==0.13.3
>
> It is possible that the file hasn't been synced to all the mirrors yet. If
> this
> is the case, please use the main Apache mirror -
> https://www.apache.org/dist/libcloud.
>
> Upgrading
>
> If you have installed Libcloud using pip you can also use it to upgrade it:
>
> pip install --upgrade apache-libcloud==0.13.3
>
> Upgrade notes
>
> A page which describes backward incompatible or semi-incompatible
> changes and how to preserve the old behavior when this is possible
> can be found at
> https://libcloud.readthedocs.org/en/latest/upgrade_notes.html
>
> Documentation
>
> Regular and API documentation is available at
> https://libcloud.readthedocs.org/en/latest/.
>
> Bugs / Issues
>
> If you find any bug or issue, please report it on our issue tracker
> <https://issues.apache.org/jira/browse/LIBCLOUD>.
> Don't forget to attach an example and / or test which reproduces your
> problem.
>
> Thanks
>
> Thanks to everyone who contributed and made this release possible!
>
> Full list of people who contributed to this release can be found in the
> CHANGES
> file
> <https://git-wip-us.apache.org/repos/asf?p=libcloud.git;a=blob;f=CHANGES;h=a06b0ed4c443f9f56784572a4e291e779de599e3;hb=a1fdac91ec9fdf699d77f9f9b01699de7f56171e#l3>.

Re: [ANNOUNCE] [SECURITY FIX] Apache Libcloud 0.13.3

Posted by Tomaz Muraus <to...@apache.org>.

Just a quick update / follow-up.

DigitalOcean updated their blog post[1][2]. The updated post says that
scrubbing is now enabled by default for all the newly issued destroy
requests:

> All Destroys Default to Scrub
> We have updated the destroy method to scrub on all destroys, both for
> web and API requests.

This means that no action is required on the client side and upgrading
to 0.13.3 should not be necessary anymore.

[1]: https://twitter.com/digitalocean/status/418140046265294848
[2]: https://digitalocean.com/blog_posts/transparency-regarding-data-security

On Tue, Dec 31, 2013 at 3:45 PM, Tomaz Muraus <to...@apache.org> wrote:
> Libcloud is a Python library that abstracts away the differences among
> multiple cloud provider APIs. It allows users to manage cloud services
> (servers, storage, load balancers, DNS) offered by many different providers
> through a single, unified and easy to use API.
>
> This is a security-fix only release. It fixes a security issue with a
> potential
> leak of data contained on a destroyed DigitalOcean node. Only users who are
> using a DigitalOcean driver are affected.
>
> DigitalOcean recently changed the default API behavior from scrub to
> non-scrub
> when destroying a VM without notifying the customers and API consumers.
>
> Libcloud prior to this release doesn't explicitly send "scrub_data" query
> parameter when destroying a node. This means nodes which are destroyed using
> Libcloud are vulnerable to later customers stealing data contained on them.
>
> This release fixes that by always sending "scrub_data" query parameter when
> destroying a DigitalOcean node.
>
> If you are using a DigitalOcean driver, you are strongly encouraged to
> upgrade
> (or downgrade if you are using 0.14.0-beta3 beta release) to this release.
>
> More information is available on our "Security" page -
> https://libcloud.apache.org/security.html
>
> Download
>
> Libcloud 0.13.3 can be downloaded from
> http://libcloud.apache.org/downloads.html
>
> or installed using pip:
>
> pip install apache-libcloud==0.13.3
>
> It is possible that the file hasn't been synced to all the mirrors yet. If
> this
> is the case, please use the main Apache mirror -
> https://www.apache.org/dist/libcloud.
>
> Upgrading
>
> If you have installed Libcloud using pip you can also use it to upgrade it:
>
> pip install --upgrade apache-libcloud==0.13.3
>
> Upgrade notes
>
> A page which describes backward incompatible or semi-incompatible
> changes and how to preserve the old behavior when this is possible
> can be found at
> https://libcloud.readthedocs.org/en/latest/upgrade_notes.html
>
> Documentation
>
> Regular and API documentation is available at
> https://libcloud.readthedocs.org/en/latest/.
>
> Bugs / Issues
>
> If you find any bug or issue, please report it on our issue tracker
> <https://issues.apache.org/jira/browse/LIBCLOUD>.
> Don't forget to attach an example and / or test which reproduces your
> problem.
>
> Thanks
>
> Thanks to everyone who contributed and made this release possible!
>
> Full list of people who contributed to this release can be found in the
> CHANGES
> file
> <https://git-wip-us.apache.org/repos/asf?p=libcloud.git;a=blob;f=CHANGES;h=a06b0ed4c443f9f56784572a4e291e779de599e3;hb=a1fdac91ec9fdf699d77f9f9b01699de7f56171e#l3>.

Re: [ANNOUNCE] [SECURITY FIX] Apache Libcloud 0.13.3

Posted by Tomaz Muraus <to...@apache.org>.

Just a quick update / follow-up.

DigitalOcean updated their blog post[1][2]. The updated post says that
scrubbing is now enabled by default for all the newly issued destroy
requests:

> All Destroys Default to Scrub
> We have updated the destroy method to scrub on all destroys, both for
> web and API requests.

This means that no action is required on the client side and upgrading
to 0.13.3 should not be necessary anymore.

[1]: https://twitter.com/digitalocean/status/418140046265294848
[2]: https://digitalocean.com/blog_posts/transparency-regarding-data-security

On Tue, Dec 31, 2013 at 3:45 PM, Tomaz Muraus <to...@apache.org> wrote:
> Libcloud is a Python library that abstracts away the differences among
> multiple cloud provider APIs. It allows users to manage cloud services
> (servers, storage, load balancers, DNS) offered by many different providers
> through a single, unified and easy to use API.
>
> This is a security-fix only release. It fixes a security issue with a
> potential
> leak of data contained on a destroyed DigitalOcean node. Only users who are
> using a DigitalOcean driver are affected.
>
> DigitalOcean recently changed the default API behavior from scrub to
> non-scrub
> when destroying a VM without notifying the customers and API consumers.
>
> Libcloud prior to this release doesn't explicitly send "scrub_data" query
> parameter when destroying a node. This means nodes which are destroyed using
> Libcloud are vulnerable to later customers stealing data contained on them.
>
> This release fixes that by always sending "scrub_data" query parameter when
> destroying a DigitalOcean node.
>
> If you are using a DigitalOcean driver, you are strongly encouraged to
> upgrade
> (or downgrade if you are using 0.14.0-beta3 beta release) to this release.
>
> More information is available on our "Security" page -
> https://libcloud.apache.org/security.html
>
> Download
>
> Libcloud 0.13.3 can be downloaded from
> http://libcloud.apache.org/downloads.html
>
> or installed using pip:
>
> pip install apache-libcloud==0.13.3
>
> It is possible that the file hasn't been synced to all the mirrors yet. If
> this
> is the case, please use the main Apache mirror -
> https://www.apache.org/dist/libcloud.
>
> Upgrading
>
> If you have installed Libcloud using pip you can also use it to upgrade it:
>
> pip install --upgrade apache-libcloud==0.13.3
>
> Upgrade notes
>
> A page which describes backward incompatible or semi-incompatible
> changes and how to preserve the old behavior when this is possible
> can be found at
> https://libcloud.readthedocs.org/en/latest/upgrade_notes.html
>
> Documentation
>
> Regular and API documentation is available at
> https://libcloud.readthedocs.org/en/latest/.
>
> Bugs / Issues
>
> If you find any bug or issue, please report it on our issue tracker
> <https://issues.apache.org/jira/browse/LIBCLOUD>.
> Don't forget to attach an example and / or test which reproduces your
> problem.
>
> Thanks
>
> Thanks to everyone who contributed and made this release possible!
>
> Full list of people who contributed to this release can be found in the
> CHANGES
> file
> <https://git-wip-us.apache.org/repos/asf?p=libcloud.git;a=blob;f=CHANGES;h=a06b0ed4c443f9f56784572a4e291e779de599e3;hb=a1fdac91ec9fdf699d77f9f9b01699de7f56171e#l3>.