On Dec 9, 2014, at 11:56 PM, esander...@hushmail.com wrote: > Daan, > Thank you for your insight on this matter. > I have seen on occasion that Citrix comes in and helps out. You guys > (shapeblue) have definitely been contributing to this forum a whole > lot and for that I appreciate it. > thank you againeric
Hi Eric, I work for Citrix but I write from my gmail address. The reason being that at Apache Software Foundation companies have no standing, contributors are not affiliated. This is a double edge sword. If the presence of Citrix in the project is too strong then some folks will actually leave, analyst will say that this is a Citrix project etc.. If the presence is not strong enough then we get messages like yours who make it sounds like Citrix had nothing to do in the CVE. The bottom line is that this is a true open source project, it cannot be bought, it cannot be steered by companies interest. If a two person company "joins" the list and starts to contribute day in and day out, they may end up with more say than Citrix, who knows. Finally, I have always thought that for the long term sustainability of the project, we should minimize Citrix's participation. You read that right, the community needs to be self sustaining enough that Citrix participation does not matter. So I am very happy that Shapeblue applied the patch and updated their repo right away (it's good incident response), next time I hope that Schuberg Philis will find the security flow, that CloudOps will patch, that Shapeblue will update the repo and that Appcore holds a 24/7 hangout for 2 weeks to help users patch their setup. Reducing the reliance on Citrix is key to attract other folks to this project, My 2 cts -Sebastien > > On 12/9/2014 at 4:49 PM, "Daan Hoogland" wrote:Eric, the bug was > fixed by A Citrix employee from India and it was > reported by Citrix in California. All ShapeBlue has done was include > it in its packaging after it was contributed t the Apche CloudStack > repository. So I would say Citrix' contribution to this is > instrumental and fundamental. > kind regards, > Daan (working for neither ShapeBlue or Citrix, yet grateful to both) > > On Tue, Dec 9, 2014 at 5:26 PM, wrote: >> Good evening, >> Just asking about the group. >> If it wasn't for shapeblue; what other user/body in the cloudstack >> community would resolve this quickly? How much is Citrix even > helping >> out anymore? >> thank youEric >> >> On 12/9/2014 at 3:40 AM, "Rohit Yadav" wrote:ShapeBlue has created > a >> patch that fixes this issue for Apache CloudStack 4.3.1 users, it >> available from their “main” deb/rpm repository. ShapeBlue has > also >> published Apache CloudStack 4.4.2 debs/rpms on their main and > upstream >> repositories. >> >> Repository: http://shapeblue.com/packages >> Release notes: >> > https://github.com/shapeblue/cloudstack/wiki/Apache-CloudStack-4.3.1-ShapeBlue-Patch02 >> Source tag 4.3.1-shapeblue-02: >> > https://github.com/shapeblue/cloudstack/releases/tag/shapeblue-4.3.1-02 >> >> Regards. >> >>> On 09-Dec-2014, at 1:41 am, John Kinsella wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA512 >>> >>> CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds >>> >>> CVSS: >>> 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P >>> >>> Vendors: >>> The Apache Software Foundation >>> Citrix, Inc. >>> >>> Versions Afffected: >>> Apache CloudStack 4.3, 4.4 >>> >>> Description: >>> Apache CloudStack may be configured to authenticate LDAP users. >>> When so configured, it performs a simple LDAP bind with the name >>> and password provided by a user. Simple LDAP binds are defined >>> with three mechanisms (RFC 4513): 1) username and password; 2) >>> unauthenticated if only a username is specified; and 3) anonymous >>> if neither username or password is specified. Currently, Apache >>> CloudStack does not check if the password was provided which could >>> allow an attacker to bind as an unauthenticated user. >>> >>> Mitigation: >>> Users of Apache CloudStack 4.4 and derivatives should update to the >>> latest version (4.4.2) >>> >>> An updated release for Apache CloudStack 4.3.2 is in testing. Until >>> that is released, we recommend following the mitigation below: >>> >>> By default, many LDAP servers are not configured to allow >> unauthenticated >>> binds. If the LDAP server in use allow this behaviour, a potential >>> interim solution would be to consider disabling unauthenticated >>> binds. >>> >>> Credit: >>> This issue was identified by the Citrix Security Team. >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1 >>> Comment: GPGTools - http://gpgtools.org >>> >>> iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT >>> 2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF >>> Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2 >>> vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m >>> 6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2 >>> fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ >>> Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+ >>> AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6 >>> tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0 >>> LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT >>> RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml >>> 03DX+ot4Xan0P5HXPT+r >>> =QqOf >>> -----END PGP SIGNATURE----- >> >> Regards, >> Rohit Yadav >> Software Architect, ShapeBlue >> M. +91 88 262 30892 | rohit.ya...@shapeblue.com >> Blog: bhaisaab.org | Twitter: @_bhaisaab >> Find out more about ShapeBlue and our range of CloudStack related >> services >> >> IaaS Cloud Design & Build >> CSForge – rapid IaaS deployment framework >> CloudStack Consulting >> CloudStack Software Engineering >> CloudStack Infrastructure Support >> CloudStack Bootcamp Training Courses >> >> This email and any attachments to it may be confidential and are >> intended solely for the use of the individual to whom it is > addressed. >> Any views or opinions expressed are solely those of the author and > do >> not necessarily represent those of Shape Blue Ltd or related >> companies. If you are not the intended recipient of this email, you >> must neither take any action based upon its contents, nor copy or > show >> it to anyone. Please contact the sender if you believe you have >> received this email in error. Shape Blue Ltd is a company > incorporated >> in England & Wales. ShapeBlue Services India LLP is a company >> incorporated in India and is operated under license from Shape Blue >> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in >> Brasil and is operated under license from Shape Blue Ltd. ShapeBlue > SA >> Pty Ltd is a company registered by The Republic of South Africa and > is >> traded under license from Shape Blue Ltd. ShapeBlue is a registered >> trademark. > -- > Daan
