Ha! Sorry.. I got your last name confused with UK side and Geoff/Giles filled in that hole../me smack..ha
On 12/9/2014 at 5:03 PM, "Daan Hoogland" wrote:I am not working for ShapeBlue, Eric nor for Citrix, but they both help out a lot, yes. On Tue, Dec 9, 2014 at 11:56 PM, wrote: > Daan, > Thank you for your insight on this matter. > I have seen on occasion that Citrix comes in and helps out. You guys > (shapeblue) have definitely been contributing to this forum a whole > lot and for that I appreciate it. > thank you againeric > > On 12/9/2014 at 4:49 PM, "Daan Hoogland" wrote:Eric, the bug was > fixed by A Citrix employee from India and it was > reported by Citrix in California. All ShapeBlue has done was include > it in its packaging after it was contributed t the Apche CloudStack > repository. So I would say Citrix' contribution to this is > instrumental and fundamental. > kind regards, > Daan (working for neither ShapeBlue or Citrix, yet grateful to both) > > On Tue, Dec 9, 2014 at 5:26 PM, wrote: >> Good evening, >> Just asking about the group. >> If it wasn't for shapeblue; what other user/body in the cloudstack >> community would resolve this quickly? How much is Citrix even > helping >> out anymore? >> thank youEric >> >> On 12/9/2014 at 3:40 AM, "Rohit Yadav" wrote:ShapeBlue has created > a >> patch that fixes this issue for Apache CloudStack 4.3.1 users, it >> available from their “main” deb/rpm repository. ShapeBlue has > also >> published Apache CloudStack 4.4.2 debs/rpms on their main and > upstream >> repositories. >> >> Repository: http://shapeblue.com/packages >> Release notes: >> > https://github.com/shapeblue/cloudstack/wiki/Apache-CloudStack-4.3.1-ShapeBlue-Patch02 >> Source tag 4.3.1-shapeblue-02: >> > https://github.com/shapeblue/cloudstack/releases/tag/shapeblue-4.3.1-02 >> >> Regards. >> >>> On 09-Dec-2014, at 1:41 am, John Kinsella wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA512 >>> >>> CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds >>> >>> CVSS: >>> 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P >>> >>> Vendors: >>> The Apache Software Foundation >>> Citrix, Inc. >>> >>> Versions Afffected: >>> Apache CloudStack 4.3, 4.4 >>> >>> Description: >>> Apache CloudStack may be configured to authenticate LDAP users. >>> When so configured, it performs a simple LDAP bind with the name >>> and password provided by a user. Simple LDAP binds are defined >>> with three mechanisms (RFC 4513): 1) username and password; 2) >>> unauthenticated if only a username is specified; and 3) anonymous >>> if neither username or password is specified. Currently, Apache >>> CloudStack does not check if the password was provided which could >>> allow an attacker to bind as an unauthenticated user. >>> >>> Mitigation: >>> Users of Apache CloudStack 4.4 and derivatives should update to the >>> latest version (4.4.2) >>> >>> An updated release for Apache CloudStack 4.3.2 is in testing. Until >>> that is released, we recommend following the mitigation below: >>> >>> By default, many LDAP servers are not configured to allow >> unauthenticated >>> binds. If the LDAP server in use allow this behaviour, a potential >>> interim solution would be to consider disabling unauthenticated >>> binds. >>> >>> Credit: >>> This issue was identified by the Citrix Security Team. >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1 >>> Comment: GPGTools - http://gpgtools.org >>> >>> iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT >>> 2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF >>> Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2 >>> vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m >>> 6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2 >>> fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ >>> Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+ >>> AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6 >>> tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0 >>> LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT >>> RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml >>> 03DX+ot4Xan0P5HXPT+r >>> =QqOf >>> -----END PGP SIGNATURE----- >> >> Regards, >> Rohit Yadav >> Software Architect, ShapeBlue >> M. +91 88 262 30892 | rohit.ya...@shapeblue.com >> Blog: bhaisaab.org | Twitter: @_bhaisaab >> Find out more about ShapeBlue and our range of CloudStack related >> services >> >> IaaS Cloud Design & Build >> CSForge – rapid IaaS deployment framework >> CloudStack Consulting >> CloudStack Software Engineering >> CloudStack Infrastructure Support >> CloudStack Bootcamp Training Courses >> >> This email and any attachments to it may be confidential and are >> intended solely for the use of the individual to whom it is > addressed. >> Any views or opinions expressed are solely those of the author and > do >> not necessarily represent those of Shape Blue Ltd or related >> companies. If you are not the intended recipient of this email, you >> must neither take any action based upon its contents, nor copy or > show >> it to anyone. Please contact the sender if you believe you have >> received this email in error. Shape Blue Ltd is a company > incorporated >> in England & Wales. ShapeBlue Services India LLP is a company >> incorporated in India and is operated under license from Shape Blue >> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in >> Brasil and is operated under license from Shape Blue Ltd. ShapeBlue > SA >> Pty Ltd is a company registered by The Republic of South Africa and > is >> traded under license from Shape Blue Ltd. ShapeBlue is a registered >> trademark. > -- > Daan -- Daan
