61 posts tagged with "announcement"

Recently the Apache CloudStack PMC was informed that the realhostip.com Dynamic DNS service that CloudStack currently uses as part of the console proxy will be disbanded this summer. The realhostip service will be shut down June 30th, 2014, meaning users have approximately 3 months to mitigate this.

Prior to version 4.3, CloudStack used the realhostip.com service by default. With the release of CloudStack version 4.3 the default communication method with the console proxy is plaintext HTTP.

Who is Affected

CloudStack installations prior to version 4.3 that have not been reconfigured to use a DNS domain other than realhostip.com for Console Proxy or Secondary Storage must make changes to continue functioning past June 30th, 2014.

Steps You Need to Take

If you meet the criteria above, there are several options to prepare for realhostip retirement:

• Set up wildcard SSL certificate and DNS entries: This method is already well supported within prior versions of CloudStack.
• Upgrade to CloudStack 4.3 and disable SSL: This is only recommended for development installations, or private clouds that contain no information of importance.
• Upgrade to CloudStack 4.3, set up static SSL certificate and configure load balancer to point to the correct IP address: While this allows an administrator to skip setting up the DNS entries from the previous option, it is a more advanced option as CloudStack 4.3 does not support automatic load balancer configuration for the Console Proxy. It is hoped this functionality will be available in future releases.

For instructions on how to set up SSL encryption for use with CloudStack console proxy, please read the console proxy section of the CloudStack administration guide.

Additionally, if you will be using an SSL vendor who requires an intermediate CA chain to be installed for proper SSL validation by web browsers, detailed instructions for configuring the intermediate CA chain in CloudStack can be found here.

The Apache CloudStack security team does not recommend running a production cloud with either the realhostip.com SSL certificate, or with no SSL encryption at all.

The Apache CloudStack project is pleased to announce the 4.2.1 release of the CloudStack cloud orchestration platform. This is a minor release of the 4.2.0 branch which released on Oct 1, 2013. The 4.2.1 release contains more than 150 bug fixes. As a bug fix release, no new features are included in 4.2.1.

The 4.2.1 release includes fixes for a number of issues; including problems with Xenserver VMSnapshots, UCS, device ID for Xen, configurable option to choose single Vs multipart upload for S3 API, allowing network with public IP Address without needing SourceNAT, and documentation fixes.

As a minor release it is a simple upgrade from 4.2.0 with no architectural changes. CloudStack Management Servers Services, and all SystemVMs will require a restart.

This release also addresses two security issues CVE-2013-6398 and CVE-2014-0031

Documentation

The 4.2.1 release notes includes full list of corrected issues as well as upgrade instructions from previous versions of Apache CloudStack. Please see the Release Notes for a full list of corrected issues and upgrade instructions.

The official installation, administration and API documentation for each release are available on our Documentation Page.

Downloads

The official source code for the 4.2.1 release can be downloaded from our Downloads Page.

In addition to the official source code release, individual contributors have also made convenience binaries in the form or RPM and Deb packages available from the download page.

About Apache CloudStack

Apache CloudStack is an integrated Infrastructure-as-a-Service (IaaS) software platform that allows users to build feature-rich public and private cloud environments. CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources. The project became an Apache top level project in March 2013.

For additional marketing or communications information, please contact the marketing mailing list.

To learn how to join and contribute to the Apache CloudStack community please visit our website.

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Bypass
Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1, 4.2.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 2.8 (AV:N/AC:M/Au:M/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in the Apache CloudStack virtual router that failed to preserve source restrictions in firewall rules after a virtual router had been stopped and restarted.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5263

Credit:

This issue was identified by the Cloud team at Schuberg Philis

Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Information Disclosure
Vulnerable Versions: Apache CloudStack 4.2.0
CVE References: CVE-2014-0031
Risk Level: Low
CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description:

The Apache CloudStack Security Team was notified of a an issue in Apache CloudStack which permits an authenticated user to list network ACLs for other users.

Mitigation:

Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-5145

Credit:

This issue was identified by Marcus Sorensen

The Apache CloudStack project is excited to announce the 4.2 feature release of the CloudStack cloud orchestration platform. This is the next feature release of the 4.x line which first released on November 6, 2012 with the 4.1 release on June 5. This is the second major release from Apache CloudStack since its graduation from the Apache Incubator on March 20th.

This release represents over six months of work from the Apache CloudStack community with 57 new and 29 improved features being provided. Many new features incorporate contributions from major corporations and support for industry standards. New integrated support of the Cisco UCS compute chassis, SolidFire storage arrays, and the S3 storage protocol are just a few of the features available in this release.

Documentation

The 4.2 release includes over 160 issues from 4.1.0 and 4.1.1 were fixed; including fixes for swift support, fixes to documentation, and more. Please see the Release Notes for a full list of corrected issues and upgrade instructions.

The official installation, administration and API documentation for each release are available on our Documentation Page.

Downloads

The official source code for the 4.2 release can be downloaded from our Downloads Page.

In addition to the official source code release, individual contributors have also made convenience binaries available on theApache CloudStack download page.

Apache CloudStack

Apache CloudStack is an integrated Infrastructure-as-a-Service (IaaS) software platform that allows users to build feature-rich public and private cloud environments. CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources. The project became an Apache top level project in March 2013.

For additional marketing or communications information, please contact the marketing mailing list.

To learn how to join and contribute to the Apache CloudStack community please visit our website at http://cloudstack.apache.org.

The Apache CloudStack project is pleased to announce the immediate availability of the Apache CloudStack CloudMonkey 5.0.0 release.

Apache CloudStack's CloudMonkey is a Python-based command line utility for interacting with Apache CloudStack IaaS clouds. The software provides an interactive shell environment that includes command discovery, auto-completion and multiple output formats. CloudMonkey can also be used as a simple command line utility, which can be easily integrated into larger shell scripts.

This is the first independently released version of CloudMonkey provided by the Apache CloudStack project community. This release includes pre-cached API command syntax for Apache CloudStack versions up to and including CloudStack 4.2.0.

The release can be obtained from the CloudMonkey section of the Apache CloudStack download page:

http://cloudstack.apache.org/downloads.html

Additionally, the 5.0.0 release is available via the Python Package Index (https://pypi.python.org/pypi/cloudmonkey) and may be installed via pip. Further instructions may be found on the Apache CloudStack download page.

We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at:

http://cloudstack.apache.org/

Product: Apache CloudStack
Vendor: The Apache Software Foundation
Vulnerability Type(s): Cross-site scripting (XSS)
Vulnerable version(s): Apache CloudStack versions 4.0.0-incubating, 4.0.1-incubating, 4.0.2 and 4.1.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 4 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Description:

The Apache CloudStack Security Team was notified of an issue found in the Apache CloudStack user interface that allows an authenticated user to execute cross-site scripting attack against other users within the system.

Mitigation:

Updating to Apache CloudStack versions 4.1.1 or higher will mitigate this vulnerability.

Please see the 4.1.1 release notes for further information about how to upgrade:

http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.1.1/html/Release_Notes/index.html

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-2936

Credit:

This issue was identified by Oleg Boytsev from strongserver.org.

The Apache CloudStack project is pleased to announce the 4.1.1 release of the Apache CloudStack cloud orchestration platform.

This is a minor release of the 4.1.0 branch which released on June 5, 2013. The 4.1.1 release contains more than 45 bug fixes. As a bug-fix only release, no new features are included.

Apache CloudStack is an integrated Infrastructure-as-a-Service (IaaS) software platform that allows users to build feature-rich public and private cloud environments. CloudStack includes an intuitive user interface and rich API for managing the compute, networking, software, and storage resources. The project became an Apache top level project in arch 2013.

More information about Apache CloudStack can be found at: http://cloudstack.apache.org/

Release Notes

The 4.1.1 release includes fixes for a number of issues; including problems with snapshots, fixes to documentation, and more. Please see the Release Notes file for a full list of corrected issues in this release and upgrade instructions.

http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.1.1/html/Release_Notes/index.html

The 4.1.1 release also addresses a cross-site scripting (XSS) vulnerability identified by CVE-2013-2136.

Downloads

The official source code release can be downloaded from:

http://cloudstack.apache.org/downloads.html

In addition to the official source code release, individual contributors have also made convenience binaries available on the Apache CloudStack download page.

The Apache CloudStack project is pleased to announce the 4.1.0 release of the CloudStack Infrastructure-as-a-Service (IaaS) cloud orchestration platform. This is the first major release from Apache CloudStack since its graduation from the Apache Incubator on March 20th.

Apache CloudStack is an integrated software platform that allows users to build a feature-rich IaaS. CloudStack includes an intuitive user interface and rich API for managing the compute, networking, accounting, and storage resources for private, hybrid, or public clouds.

The 4.1.0 release represents more than five months of development effort by the Apache CloudStack community. The release includes many new features and bugfixes from the 4.0.x cycle. The 4.1.0 release also marks major changes in the codebase to make CloudStack easier for developers, a new structure for creating RPM/Debian packages, and completes the changeover to using Maven as a build tool.

New Features​

Some of the notable new features in Apache CloudStack 4.1.0 include:

• An API discovery service that allows an end point to list its supported APIs and their details.
• Added an Events Framework to CloudStack to provide an “event bus” with publish, subscribe, and unsubscribe semantics. Includes a RabbitMQ plugin that can interact with AMQP servers. Introduces the notion of a state change event.
• Implement L3 router functionality in the Nicira NVP plugin, and including support for KVM (previously Xen-only).
• API request throttling to prevent attacks via frequent API requests.
• AWS-style regions.
• Egress firewall rules for guest networks.
• Resizing root and data volumes.
• Reset SSH key to access VMs.
• Support for EC2 Query API.
• Autoscaling support in conjunction with load balancing devices such as NetScaler.

Downloads​

The official source is available from:

http://cloudstack.apache.org/downloads.html

In addition to the official source code release, individual contributors also make convenience binaries available. 4.1.0 convenience binaries should be available within a day or so of the release announcement.

Note that there is a known issue with 4.1.0 and a recent Tomcat release. This has been addressed in the convenience binaries, but is still present in 4.1.0 source release. We will be working on a 4.1.1 release that will contain that fix shortly.

CloudStack Collaboration Conference​

The CloudStack community will be gathering for its second conference this month in Santa Clara, CA. The event will start on June 23rd with a hackathon, then formal programming on June 24th and 25th. This year we’ve gotten some fantastic keynotes, including DevOps legend Gene Kim (author of “The Phoenix Project”). You can find all the details at http://www.cloudstackcollab.org/, and the schedule at http://www.cloudstackcollab.org/schedule/.

About Apache CloudStack​

Apache CloudStack is a complete software suite for creating Infrastructure-as-a-Service (IaaS) clouds. Target environments include service providers and enterprises. It is used by many service providers to set up an on-demand, elastic cloud computing services and by enterprises to set up a private cloud for use by their own employees. Apache CloudStack is also available to individuals and organizations that wish to study and implement an IaaS for personal, educational, and/or production use.

Further information on Apache CloudStack can be found at cloudstack.apache.org.

The Apache CloudStack project is pleased to announce the 4.0.2 release of the CloudStack Infrastructure-as-a-Service (IaaS) cloud orchestration platform. This is a minor release in the 4.0.0 branch, which contains fixes for 40 bugs.

Apache CloudStack is an integrated software platform that allows users to build a feature-rich IaaS. CloudStack includes an intuitive user interface and rich API for managing the compute, networking, accounting, and storage for private, hybrid, or public clouds. The project entered the Apache Incubator in April 2012, and graduated in March 2013.

The 4.0.2 release includes fixes for a number of issues, including two minor security vulnerabilities (CVE–2013–2756 and CVE–2013–2758), problems displaying storage statistics, a fix for the SSVM HTTP proxy, support for CentOS 6.4, and other fixes.

Downloads​

The official source code releases can be downloaded from:

http://cloudstack.apache.org/downloads.html

In addition to the official source code release, individual contributors have also made convenience binaries available on the Apache CloudStack download page.

About Apache CloudStack​

Apache CloudStack is a complete software suite for creating Infrastructure-as-a-Service (IaaS) clouds. Target environments include service providers and enterprises. It is used by many service providers to set up an on-demand, elastic cloud computing services and by enterprises to set up a private cloud for use by their own employees. Apache CloudStack is also available to individuals and organizations that wish to study and implement an IaaS for personal, educational, and/or production use.

Further information on Apache CloudStack can be found atcloudstack.apache.org.