Hi Wei, the workaround is only necessary when kernel security patch cannot be applied and afterwards the host cannot be rebooted. For 4.11.3.0 rc1, the new systemvmtemplate has the latest kernel security patch.
Regards. Regards, Rohit Yadav ________________________________ From: Wei ZHOU <ustcweiz...@gmail.com> Sent: Wednesday, June 19, 2019 12:02:46 AM To: dev@cloudstack.apache.org Subject: Re: [VOTE] 4.11.3.0 RC1 Hi Rohit, Do we need to change default iptable tables for cpvm and ssvm ? # iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP # ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP (see https://access.redhat.com/security/vulnerabilities/tcpsack) -Wei Rohit Yadav <rohit.ya...@shapeblue.com> 于2019年6月18日周二 上午11:57写道: > All, > > > Due to recently disclosed and fixed tcp/SACK vulnerability and other > security issues (refer https://www.debian.org/security/2019/dsa-4465), > I've rebuilt and synced new 4.11.3.0 systemvmtemplates which has linux > 4.9.168-1+deb9u3 (2019-06-16): > > > http://download.cloudstack.org/systemvm/testing/4.11.3-rc > > http://packages.shapeblue.com/testing/systemvm/41130rc1 > > > Kindly continue testing 4.11.3.0 RC1 using above systemvmtemplates. Thanks. > > > Build log for reference: > http://download.cloudstack.org/systemvm/testing/4.11.3-rc/build.log > > > Regards, > > Rohit Yadav > > Software Architect, ShapeBlue > > https://www.shapeblue.com > > ________________________________ > From: Riepl, Gregor (SWISS TXT) <gregor.ri...@swisstxt.ch> > Sent: Friday, June 14, 2019 7:45:58 PM > To: dev@cloudstack.apache.org; us...@cloudstack.apache.org > Subject: Re: [VOTE] 4.11.3.0 RC1 > > +1 > > Based on: > - Packages from http://packages.shapeblue.com/testing/41130rc1/ and > http://packages.shapeblue.com/testing/systemvm/41130rc1/ > - Upgrade of our test cloud from 4.11.2 to 4.11.3 worked without problems > (aside from the mentioned template issue) > - Our internal smoke test stack ran successfully > > The only thing I'm a bit unhappy about is the backported ostype API fix: > https://github.com/apache/cloudstack/pull/3066 > Since this is a breaking API change, I don't think it should be included > in a minor release, even if it fixes an API bug. > It triggers an error in Packer, which we use to create templates. > However, a fix was already commited and will be in the next Packer > release, so I'm ok'ing it: https://github.com/hashicorp/packer/pull/7694 > > rohit.ya...@shapeblue.com > www.shapeblue.com<http://www.shapeblue.com> > Amadeus House, Floral Street, London WC2E 9DPUK > @shapeblue > > > > rohit.ya...@shapeblue.com www.shapeblue.com Amadeus House, Floral Street, London WC2E 9DPUK @shapeblue