This is a quick update about the recent 0.13.3 security release and the DigitalOcean vulnerability.
DigitalOcean updated their blog post. The updated post says that scrubbing is now enabled by default for all the newly issued destroy requests:
All Destroys Default to Scrub
We have updated the destroy method to scrub on all destroys, both for web and API requests.
This means that no action is required on the client side and upgrading to 0.13.3 should not be necessary anymore.
This release fixes a security issue with a potential leak of data contained on a destroyed DigitalOcean node. Only users who are using a DigitalOcean driver are affected.
Details about the vulnerability
DigitalOcean recently changed the default API behavior from scrub to non-scrub when destroying a VM without notifying the customers and API consumers.
Libcloud prior to this release doesn't explicitly send "scrub_data" query parameter when destroying a node. This means nodes which are destroyed using Libcloud are vulnerable to later customers stealing data contained on them.
This release fixes that by always sending "scrub_data" query parameter when destroying a DigitalOcean node.
If you are using a DigitalOcean driver, you are strongly encouraged to upgrade (or downgrade if you are using 0.14.0-beta3 beta release) to this release.
For more information, please see the Security page.
Libcloud 0.13.3 can be downloaded from https://libcloud.apache.org/downloads.html
or installed using pip:
pip install apache-libcloud==0.13.3
It is possible that the file hasn't been synced to all the mirrors yet. If this is the case, please use the main Apache mirror - https://www.apache.org/dist/libcloud.
If you have installed Libcloud using pip you can also use it to upgrade it:
pip install --upgrade apache-libcloud==0.13.3
Regular and API documentation is available at https://libcloud.readthedocs.org/en/latest/.
Bugs / Issues
If you find any bug or issue, please report it on our issue tracker https://issues.apache.org/jira/browse/LIBCLOUD. Don't forget to attach an example and / or test which reproduces your problem.
Thanks to everyone who contributed and made this release possible!
Full list of people who contributed to this release can be found in the CHANGES file.
In addition to our existing users (email@example.com), developers (firstname.lastname@example.org) and commits (email@example.com) mailing list, we now also have a new very low volume announce mailing list - firstname.lastname@example.org.
The mailing list is moderated and will only be used for distributing important project announcements such as information about new releases and other important project updates.
You can subscribe to it by sending an email to email@example.com.
Dear Libcloud users, developers and team members,
2013 is slowly coming to an end, and we would like to wish everyone a happy and successful new year!
Now it's also the time to look back at the things which have been accomplished, important events which have happened and some statistics for 2013.
Important Events and Milestones
- Two new committers have joined our team - John Carr, Brian Curtin
- In June we held a Libcloud Design Day at the Rackspace San Francisco office. See Libcloud Design Day Recap blog post for a recap.
- We have finally migrated from SVN to Git.
- We have started to work on new and improved documentation which is now available on ReadTheDocs.
- In addition to the Apache Buildbot instance, our tests now also run on Travis CI.
- Key pair management methods have been promoted to be part of the base compute API. See Libcloud update - Key pair management methods are now part of the base API blog post for more information.
- 197 new JIRA issues have been opened (total of 472). Out of those 197 issues, 138 are now marked as 'resolved'.
- Github mirror stars: 331 (+65 YTD)
- Twitter followers: 449 (+149 YTD)
- Google+ page +1's: 1591
- We had a total of 5 releases (0.12.1, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.14.0-beta3)
- Combination of SVN and Git repository has had a total of 963 commits.
Numbers listed above have been retrieved on 26th of December, 2013 from the sources listed bellow:
- Libcloud website - http://libcloud.apache.org/
- Twitter account - https://twitter.com/libcloud
- Google+ page - Apache Libcloud
- Github mirror - https://github.com/apache/libcloud
- JIRA - https://issues.apache.org/jira/browse/LIBCLOUD
- PyPi - https://pypi.python.org/pypi/apache-libcloud/
- Ohloh - https://www.ohloh.net/p/libcloud/
Those numbers and numbers for the past years are also available in a semi machine readable format in a Google Spreadsheet.
Old retrospect blog posts
- 2012 in retrospect and a Happy New Year from the Libcloud team
- 2011 in retrospect and a Happy New Year from the Libcloud team
Thanks again to everyone for their contributions and lets make 2014 even better and more successful :)
The Project Management Committee (PMC) for Apache Libcloud has asked Brian Curtin to become a committer and we are pleased to announce that they have accepted.
We are glad to have him as a committer. Everyone, please help us welcome him to the team :)
Source: mailing list.