On Mon, Jun 03, 2013 at 03:40:04PM +0530, Prasanna Santhanam wrote: > On Sat, Jun 01, 2013 at 01:35:06PM -0400, Chip Childers wrote: > > The vote has *passed* with the following results (binding PMC votes > > indicated with a "*" next to their name: > > > > +1 : Edison*, Hugo*, Marcus*, David*, Wido*, Ilya, Animesh, Milamber, > > Joe*, Simon, Prasanna* > > -0 : John > > -1 : Ove > > > > I'm going to proceed with moving the release into the distribution repo > > now, and will do the DEB / RPM builds to push Wido's repo site / push > > cloudmonkey to pypi on Monday. > > > > I do note Ove's -1, due to upstream Tomcat changes. I know Prasanna > > mentioned that he was going to check with that project to see why the > > change happened. We will need to discuss what (if anything) this > > project should do to resolve the issue for users. This issue will block > > users of all prior versions as well, so it's nothing *in* our code that > > causes the bug. This is my logic for not cancelling the vote. > > > > I couldn't find a reasonably good solution for this. The vulnerability > is fixed in Tomcat more than a year ago and it was applied only > recently, as Ove pointed, in the distros. While this doesn't affect > those upgrading, it is problematic for those installing CloudStack > afresh. Any version - 3.0.2, ($insert_commercial_version), 4.0, > 4.0.1, 4.0.2, 4.1 and even the 4.2-SNAPSHOT RPMs. > > I've applied a fix on master (54127f8) that I think is reasonable by > changing the permissions on the file so it is owned by user `cloud` > which is the user cloudstack-management will run as. To understand why > this is not an obvious hack please see [1]. If there's an even elegant > way, please let the list know.
This seems like a reasonable fix to me. I'll cherry-pick it over to 4.0. > > I'm also not quite sure how and when the deb packages will be > affected. It looked like the debian users haven't reported this > problem yet. We started seeing issues of this right after May 25th, > should've paid more attention then (/me facepalm) CLOUDSTACK-2758 should probably stay open, pending a DEB fix to pre-empt the issue occurring in those distros. > > It's an awkward situation, so I'm not sure what will be the next > course of action since our src release is ready to be published. > > The options are: > a) Publish workaround of giving `cloud` permissions to catalina.out > b) Release a new source package with fix cherry-picked to 4.1 and > whereever applicable. > > b. shouldn't take longer - just testing the packaging should be > sufficient. CloudStack's overall functionality is satisfactory from > the tests done so far. Unfortunately, perhaps I made a big mistake by not cancelling the VOTE and performing the release copy. At this point, 4.0.0 is *frozen* from changes per ASF release policies (we can't change the bits after I put them in the release dir). So... I'm actually going to propose 2 things: 1) I'm going to build the RPM's that we'll host from Wido's repo server *with* the fix Prasanna provided. 2) Someone (not me, due to vacation starting Wed) needs to spin a 4.1.1 release ASAP to include the fix for this. > > [1] http://markmail.org/thread/wuknrv3ml5lfdq7c > > -- > Prasanna., > > ------------------------ > Powered by BigRock.com > >
