Eric, the bug was fixed by A Citrix employee from India and it was reported by Citrix in California. All ShapeBlue has done was include it in its packaging after it was contributed t the Apche CloudStack repository. So I would say Citrix' contribution to this is instrumental and fundamental.
kind regards, Daan (working for neither ShapeBlue or Citrix, yet grateful to both) On Tue, Dec 9, 2014 at 5:26 PM, <esander...@hushmail.com> wrote: > Good evening, > Just asking about the group. > If it wasn't for shapeblue; what other user/body in the cloudstack > community would resolve this quickly? How much is Citrix even helping > out anymore? > thank youEric > > On 12/9/2014 at 3:40 AM, "Rohit Yadav" wrote:ShapeBlue has created a > patch that fixes this issue for Apache CloudStack 4.3.1 users, it > available from their “main” deb/rpm repository. ShapeBlue has also > published Apache CloudStack 4.4.2 debs/rpms on their main and upstream > repositories. > > Repository: http://shapeblue.com/packages > Release notes: > https://github.com/shapeblue/cloudstack/wiki/Apache-CloudStack-4.3.1-ShapeBlue-Patch02 > Source tag 4.3.1-shapeblue-02: > https://github.com/shapeblue/cloudstack/releases/tag/shapeblue-4.3.1-02 > > Regards. > >> On 09-Dec-2014, at 1:41 am, John Kinsella wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds >> >> CVSS: >> 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P >> >> Vendors: >> The Apache Software Foundation >> Citrix, Inc. >> >> Versions Afffected: >> Apache CloudStack 4.3, 4.4 >> >> Description: >> Apache CloudStack may be configured to authenticate LDAP users. >> When so configured, it performs a simple LDAP bind with the name >> and password provided by a user. Simple LDAP binds are defined >> with three mechanisms (RFC 4513): 1) username and password; 2) >> unauthenticated if only a username is specified; and 3) anonymous >> if neither username or password is specified. Currently, Apache >> CloudStack does not check if the password was provided which could >> allow an attacker to bind as an unauthenticated user. >> >> Mitigation: >> Users of Apache CloudStack 4.4 and derivatives should update to the >> latest version (4.4.2) >> >> An updated release for Apache CloudStack 4.3.2 is in testing. Until >> that is released, we recommend following the mitigation below: >> >> By default, many LDAP servers are not configured to allow > unauthenticated >> binds. If the LDAP server in use allow this behaviour, a potential >> interim solution would be to consider disabling unauthenticated >> binds. >> >> Credit: >> This issue was identified by the Citrix Security Team. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: GPGTools - http://gpgtools.org >> >> iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT >> 2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF >> Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2 >> vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m >> 6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2 >> fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ >> Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+ >> AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6 >> tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0 >> LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT >> RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml >> 03DX+ot4Xan0P5HXPT+r >> =QqOf >> -----END PGP SIGNATURE----- > > Regards, > Rohit Yadav > Software Architect, ShapeBlue > M. +91 88 262 30892 | rohit.ya...@shapeblue.com > Blog: bhaisaab.org | Twitter: @_bhaisaab > Find out more about ShapeBlue and our range of CloudStack related > services > > IaaS Cloud Design & Build > CSForge – rapid IaaS deployment framework > CloudStack Consulting > CloudStack Software Engineering > CloudStack Infrastructure Support > CloudStack Bootcamp Training Courses > > This email and any attachments to it may be confidential and are > intended solely for the use of the individual to whom it is addressed. > Any views or opinions expressed are solely those of the author and do > not necessarily represent those of Shape Blue Ltd or related > companies. If you are not the intended recipient of this email, you > must neither take any action based upon its contents, nor copy or show > it to anyone. Please contact the sender if you believe you have > received this email in error. Shape Blue Ltd is a company incorporated > in England & Wales. ShapeBlue Services India LLP is a company > incorporated in India and is operated under license from Shape Blue > Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in > Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA > Pty Ltd is a company registered by The Republic of South Africa and is > traded under license from Shape Blue Ltd. ShapeBlue is a registered > trademark. -- Daan
