Dear OpenNebula users, A potential security vulnerability was found in the contextualization image creation code. This feature lets the user add files to the context image created before VM startup. The feature is very handy to modify the behavior or configuration of the VM without modifying the disk image. As you can specify any file readable by <oneadmin> user (the user that runs oned daemon) some sensible files can be added to the context image and then be retrieved connecting to the newly created VM.
In order to deal with this issue, the OpenNebula Team announces an asynchronous release of the OpenNebula 2.2 series, version 2.2.1, which comes with a fix for the security issue found in the OCCI and econe cloud servers. - Release Notes: http://opennebula.org/software:rnotes:rn-rel2.2.1 - Software Download: http://opennebula.org/software:software - Security Issue Ticket: http://dev.opennebula.org/issues/670 We would like to thank Vivien Bernet-Rollande <vivien.bernet-rolla...@nexen.alterway.fr> for noticing the bug and for providing a patch to fix it. We are working on a more robust and flexible fix, we will maintain you informed on the developments. With kind regards, The OpenNebula Project -- Constantino Vázquez Blanco, MSc OpenNebula Major Contributor www.OpenNebula.org | @tinova79 _______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
