Hi,
We've just released new versions of Ganeti 1.2 and 2.0 (and a new
release candidate for 2.1), fixing a serious security issue
(CVE-2009-4261):
- http://ganeti.googlecode.com/files/ganeti-2.0.5.tar.gz
- http://ganeti.googlecode.com/files/ganeti-2.1.0~rc2.tar.gz
- http://ganeti.googlecode.com/files/ganeti-1.2.9.tar.gz
The problem relates to missing validation of iallocator names, and this
allows remote execution of arbitrary programs on the master node.
It is recommended to upgrade as soon as possible to the new versions, or
alternatively patching your current version with the following patches
from the Git repository:
- 2.0:
-
http://git.ganeti.org/?p=ganeti.git;a=commit;h=4fe80ef2ed1cda3a6357274eccafe5c1f21a5283
-
http://git.ganeti.org/?p=ganeti.git;a=commit;h=f95c81bf21c177f7e6a2c53ea0613034326329bd
- 1.2:
-
http://git.ganeti.org/?p=ganeti.git;a=commit;h=c899750fde9828d76526eed47935a46335124d88
-
http://git.ganeti.org/?p=ganeti.git;a=commit;h=b0fc8c8943764d182fe2cc1876747ea2c2e4df09
- for 2.1 it's not possible to link directly to patches, it's
recommended to use the new archive (ganeti-2.1.0~rc2.tar.gz)
In case upgrade or patching is not immediately possible, you can
implement the following work-around measures:
- if you don't use any iallocator scripts, remove the ganeti
iallocator script directories (the list of directories present in
_autoconf.py as IALLOCATOR_SEARCH_PATH), e.g. "mv
/usr/lib/ganeti/iallocators /usr/lib/ganeti/iallocators.old" if you
have a single directory
- disabling any sudo access to the gnt-* commands
- firewalling the RAPI port (allowing only trusted hosts) or disabling
it either via rename of the binary or modification (note that just
stopping the 'ganeti-rapi' daemon is not enough since the watcher
will try to restart it)
Note that in general it is recommended that the RAPI port is not exposed
too widely.
Regards,
(iustin on behalf of) ganeti-team
