This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch staging-site
in repository https://gitbox.apache.org/repos/asf/cloudstack-www.git
The following commit(s) were added to refs/heads/staging-site by this push:
new c186ad6a advisory and release updates
c186ad6a is described below
commit c186ad6af1f32e54062886c7369ac5c73e000d02
Author: Rohit Yadav <[email protected]>
AuthorDate: Fri Jul 5 18:03:59 2024 +0530
advisory and release updates
Signed-off-by: Rohit Yadav <[email protected]>
---
.../banner.jpg | Bin 0 -> 76306 bytes
.../index.md | 93 +++++++++++++++++++++
src/components/Releases/index.tsx | 2 +
src/pages/downloads.mdx | 36 ++++----
src/pages/index.tsx | 8 +-
5 files changed, 118 insertions(+), 21 deletions(-)
diff --git
a/blog/2024-07-05-security-release-advisory-4.19.0.2-4.18.2.1/banner.jpg
b/blog/2024-07-05-security-release-advisory-4.19.0.2-4.18.2.1/banner.jpg
new file mode 100644
index 00000000..8c0cd7eb
Binary files /dev/null and
b/blog/2024-07-05-security-release-advisory-4.19.0.2-4.18.2.1/banner.jpg differ
diff --git
a/blog/2024-07-05-security-release-advisory-4.19.0.2-4.18.2.1/index.md
b/blog/2024-07-05-security-release-advisory-4.19.0.2-4.18.2.1/index.md
new file mode 100644
index 00000000..1b635b7b
--- /dev/null
+++ b/blog/2024-07-05-security-release-advisory-4.19.0.2-4.18.2.1/index.md
@@ -0,0 +1,93 @@
+---
+layout: post
+title: "[ADVISORY] Apache CloudStack LTS Security Releases 4.18.2.1 and
4.19.0.2"
+tags: [announcement]
+authors: [shwstppr]
+slug: security-release-advisory-4.19.0.2-4.18.2.1
+---
+
+[](/blog/security-release-advisory-4.19.0.2-4.18.2.1)
+
+Apache CloudStack project announces the release of LTS security releases
+[4.18.2.1](https://github.com/apache/cloudstack/releases/tag/4.18.2.1) and
+[4.19.0.2](https://github.com/apache/cloudstack/releases/tag/4.19.0.2) that
+addresses CVE-2024-38346 and CVE-2024-39864, both of severity rating
+'important', explained below.
+
+<!-- truncate -->
+
+## [CVE-2024-38346](https://www.cve.org/CVERecord?id=CVE-2024-38346):
Unauthenticated cluster service port leads to remote execution
+
+The CloudStack cluster service runs on unauthenticated port (default 9090) that
+can be misused to run arbitrary commands on targeted hypervisors and CloudStack
+management server hosts. Some of these commands were found to have command
+injection vulnerabilities that can result in arbitrary code execution via
agents
+on the hosts that may run as a privileged user. An attacker that can reach the
+cluster service on the unauthenticated port (default 9090), can exploit this to
+perform remote code execution on CloudStack managed hosts and result in
complete
+compromise of the confidentiality, integrity, and availability of CloudStack
+managed infrastructure.
+
+## [CVE-2024-39864](https://www.cve.org/CVERecord?id=CVE-2024-39864):
Integration API service uses dynamic port when disabled
+
+The CloudStack integration API service allows running its unauthenticated API
+server (usually on port 8096 when configured and enabled via
+integration.api.port global setting) for internal portal integrations and for
+testing purposes. By default, the integration API service port is disabled and
+is considered disabled when integration.api.port is set to 0 or negative. Due
to
+an improper initialisation logic, the integration API service would listen on a
+random port when its port value is set to 0 (default value). An attacker that
+can access the CloudStack management network could scan and find the randomised
+integration API service port and exploit it to perform unauthorised
+administrative actions and perform remote code execution on CloudStack managed
+hosts and result in complete compromise of the confidentiality, integrity, and
+availability of CloudStack managed infrastructure.
+
+## Credits
+
+Both the CVEs are credited to the following reporters from the Apple Services
+Engineering Security team:
+
+- Adam Pond (finder)
+- Terry Thibault (finder)
+- Damon Smith (finder)
+
+## Affected versions:
+
+- Apache CloudStack 4.0.0 through 4.18.2.0
+- Apache CloudStack 4.19.0.0 through 4.19.0.1
+
+## Resolution
+
+Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which
+addresses these issues. Additionally, users who cannot upgrade and otherwise
+are recommended for following actions:
+
+- Restrict the network access to the cluster service port (default 9090) on a
+CloudStack management server host to only its peer CloudStack management server
+hosts.
+
+- Restrict the network access on the CloudStack management server hosts to only
+essential ports.
+
+## Downloads and Documentation
+
+The official source code for the 4.18.2.1 and 4.19.0.2 releases can be
+downloaded from the project downloads page:
+
+https://cloudstack.apache.org/downloads
+
+The 4.18.2.1 and 4.19.0.2 release notes can be found at:
+- https://docs.cloudstack.apache.org/en/4.18.2.1/releasenotes/about.html
+- https://docs.cloudstack.apache.org/en/4.19.0.2/releasenotes/about.html
+
+In addition to the official source code release, individual contributors
+have also made release packages available on the Apache CloudStack
+download page, and available at:
+
+- https://download.cloudstack.org/el/7/
+- https://download.cloudstack.org/el/8/
+- https://download.cloudstack.org/el/9/
+- https://download.cloudstack.org/suse/15/
+- https://download.cloudstack.org/ubuntu/dists/
+- https://www.shapeblue.com/cloudstack-packages/
diff --git a/src/components/Releases/index.tsx
b/src/components/Releases/index.tsx
index 74fe3bde..fb5a2992 100644
--- a/src/components/Releases/index.tsx
+++ b/src/components/Releases/index.tsx
@@ -1,8 +1,10 @@
import React from "react";
const versions = [
+ '4.19.0.2',
'4.19.0.1',
'4.19.0.0',
+ '4.18.2.1',
'4.18.2.0',
'4.18.1.1',
'4.18.1.0',
diff --git a/src/pages/downloads.mdx b/src/pages/downloads.mdx
index 10c7bba9..4b5b6823 100644
--- a/src/pages/downloads.mdx
+++ b/src/pages/downloads.mdx
@@ -18,42 +18,42 @@ releases](https://github.com/apache/cloudstack/releases).
### Source Releases
-Apache CloudStack's most recent release is `4.19.0.1`. This is current
+Apache CloudStack's most recent release is `4.19.0.2`. This is current
CloudStack LTS release.
-<a class="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.0.1/apache-cloudstack-4.19.0.1-src.tar.bz2";>Get
the 4.19.0.1 Source</a>
+<a class="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.0.2/apache-cloudstack-4.19.0.2-src.tar.bz2";>Get
the 4.19.0.2 Source</a>
<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a>
-<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.0.1/apache-cloudstack-4.19.0.1-src.tar.bz2.asc";>PGP</a>
-<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.0.1/apache-cloudstack-4.19.0.1-src.tar.bz2.sha512";>SHA512</a>
+<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.0.2/apache-cloudstack-4.19.0.2-src.tar.bz2.asc";>PGP</a>
+<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.0.2/apache-cloudstack-4.19.0.2-src.tar.bz2.sha512";>SHA512</a>
<br/><br/>
-Full release notes can be found in the version [4.19.0.0 Release
-Notes](https://docs.cloudstack.apache.org/en/4.19.0.0/releasenotes/) website.
+Full release notes can be found in the version [4.19.0.2 Release
+Notes](https://docs.cloudstack.apache.org/en/4.19.0.2/releasenotes/) website.
Instructions for building from source and installing Apache CloudStack can be
found in the [Installation
-Guide](https://docs.cloudstack.apache.org/en/4.19.0.0/installguide/).
+Guide](https://docs.cloudstack.apache.org/en/4.19.0.2/installguide/).
Instructions for building from source and upgrading from a previous version of
-CloudStack to Apache CloudStack 4.19.0.1 can be found in the upgrade section of
+CloudStack to Apache CloudStack 4.19.0.2 can be found in the upgrade section of
the Release Notes (see above).
-The latest CloudStack LTS maintenance release is `4.18.2.0` as part of the
+The latest CloudStack LTS maintenance release is `4.18.2.1` as part of the
previous LTS release.
-<a class="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.0/apache-cloudstack-4.18.2.0-src.tar.bz2";>Get
the 4.18.2.0 Source</a>
+<a class="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.1/apache-cloudstack-4.18.2.1-src.tar.bz2";>Get
the 4.18.2.1 Source</a>
<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a>
-<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.0/apache-cloudstack-4.18.2.0-src.tar.bz2.asc";>PGP</a>
-<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.0/apache-cloudstack-4.18.2.0-src.tar.bz2.sha512";>SHA512</a>
+<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.1/apache-cloudstack-4.18.2.1-src.tar.bz2.asc";>PGP</a>
+<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.1/apache-cloudstack-4.18.2.1-src.tar.bz2.sha512";>SHA512</a>
<br/><br/>
-Full release notes can be found in the version [4.18.2.0 Release
-Notes](https://docs.cloudstack.apache.org/en/4.18.2.0/releasenotes/) website.
+Full release notes can be found in the version [4.18.2.1 Release
+Notes](https://docs.cloudstack.apache.org/en/4.18.2.1/releasenotes/) website.
Instructions for building from source and installing Apache CloudStack can be
found in the [Installation
-Guide](https://docs.cloudstack.apache.org/en/4.18.2.0/installguide/).
+Guide](https://docs.cloudstack.apache.org/en/4.18.2.1/installguide/).
Instructions for building from source and upgrading from a previous version of
-CloudStack to Apache CloudStack 4.18.2.0 can be found in the upgrade section of
+CloudStack to Apache CloudStack 4.18.2.1 can be found in the upgrade section of
the Release Notes (see above).
### Community Packages
@@ -66,12 +66,14 @@ repositories that also include noredist libraries:
- EL9 RPM repository: http://download.cloudstack.org/el/9/
- EL8 RPM repository: http://download.cloudstack.org/el/8/
- EL7 RPM repository: http://download.cloudstack.org/el/7/
-- EL6 RPM repository (for 4.13 and older releases):
http://download.cloudstack.org/centos/6/
- SUSE/openSUSE 15 RPM repository: http://download.cloudstack.org/suse/15/
Experimental ARM64 packages:
- Ubuntu/DEB repository: http://download.cloudstack.org/arm64/
+Old repositories for distros eached EOL:
+- EL6 RPM repository (for 4.13 and older releases):
http://download.cloudstack.org/centos/6/
+
Instructions for using these community provided repositories can be found in
the
[Configure Package
Repository](http://docs.cloudstack.apache.org/en/latest/installguide/management-server/#configure-package-repository)
diff --git a/src/pages/index.tsx b/src/pages/index.tsx
index ed4e7b21..52c609ed 100644
--- a/src/pages/index.tsx
+++ b/src/pages/index.tsx
@@ -26,8 +26,8 @@ Apache CloudStack™ is an open-source software system
designed to deploy and m
<div class="center-buttons">
<a href="downloads" class="btn btn-light btn-size">Download</a>
- <a href="https://docs.cloudstack.apache.org/en/4.19.0.0/";
target="_blank" class="btn btn-outline-light btn-size">Documentation</a>
- <p class="small mt-3">Apache CloudStack 4.19.0.1 is out!</p>
+ <a href="https://docs.cloudstack.apache.org/en/4.19.0.2/";
target="_blank" class="btn btn-outline-light btn-size">Documentation</a>
+ <p class="small mt-3">Apache CloudStack 4.19.0.2 is out!</p>
</div>
</div>
<div class="col-lg-7"><img src="/img/CloudStack_monkey_cloud.png"
class="img-fluid" alt=""/></div>
@@ -219,10 +219,10 @@ specific infrastructure.
<div class="col col-lg-5">
<h2 class="section-title mb-4 margin-second">Latest
Release</h2>
<div class="center-buttons">
- <p class="px18">Apache CloudStack 4.19.0.1 is out!<br/>This
is the latest LTS release.</p>
+ <p class="px18">Apache CloudStack 4.19.0.2 is out!<br/>This
is the latest LTS release.</p>
<a href="downloads" class="btn btn-primary
btn-size">Download</a>
- <a href="https://docs.cloudstack.apache.org/en/4.19.0.0/";
target="_blank" class="btn btn-outline-secondary btn-size">Documentation</a>
+ <a href="https://docs.cloudstack.apache.org/en/4.19.0.2/";
target="_blank" class="btn btn-outline-secondary btn-size">Documentation</a>
</div>
</div>
<div class="col-lg-7"><img
src="/img/CloudStack_release_illustration.png" class="img-fluid img-release"
alt=""/></div>
