Dear OpenNebula users,

A potential security vulnerability was found in the contextualization
image creation code. This feature lets the user add files to the
context image created before VM startup. The feature is very handy to
modify the behavior or configuration of the VM without modifying the
disk image. As you can specify any file readable by <oneadmin> user
(the user that runs oned daemon) some sensible files can be added to
the context image and then be retrieved connecting to the newly
created VM.

In order to deal with this issue, the OpenNebula Team announces an
asynchronous release of the OpenNebula 2.2 series, version 2.2.1,
which comes with a fix for the security issue found in the OCCI and
econe cloud servers.

 - Release Notes:            http://opennebula.org/software:rnotes:rn-rel2.2.1
 - Software Download:     http://opennebula.org/software:software
 - Security Issue Ticket:  http://dev.opennebula.org/issues/670

We would like to thank Vivien Bernet-Rollande
<vivien.bernet-rolla...@nexen.alterway.fr> for noticing the bug and
for providing a patch to fix it. We are working on a more robust and
flexible fix, we will maintain you informed on the developments.

With kind regards,

The OpenNebula Project

--
Constantino Vázquez Blanco, MSc
OpenNebula Major Contributor
www.OpenNebula.org | @tinova79
_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org

Reply via email to