Tag: security release

Quick update about 0.13.3 release and DigitalOcean vulnerability

This is a quick update about the recent 0.13.3 security release and the DigitalOcean vulnerability.

DigitalOcean updated their blog post. The updated post says that scrubbing is now enabled by default for all the newly issued destroy requests:

All Destroys Default to Scrub

We have updated the destroy method to scrub on all destroys, both for web and API requests.

This means that no action is required on the client side and upgrading to 0.13.3 should not be necessary anymore.

References:

Libcloud 0.13.3 released

This release fixes a security issue with a potential leak of data contained on a destroyed DigitalOcean node. Only users who are using a DigitalOcean driver are affected.

Details about the vulnerability

DigitalOcean recently changed the default API behavior from scrub to non-scrub when destroying a VM without notifying the customers and API consumers.

Libcloud prior to this release doesn't explicitly send "scrub_data" query parameter when destroying a node. This means nodes which are destroyed using Libcloud are vulnerable to later customers stealing data contained on them.

This release fixes that by always sending "scrub_data" query parameter when destroying a DigitalOcean node.

If you are using a DigitalOcean driver, you are strongly encouraged to upgrade (or downgrade if you are using 0.14.0-beta3 beta release) to this release.

For more information, please see the Security page.

Download

Libcloud 0.13.3 can be downloaded from https://libcloud.apache.org/downloads.html

or installed using pip:

pip install apache-libcloud==0.13.3

It is possible that the file hasn't been synced to all the mirrors yet. If this is the case, please use the main Apache mirror - https://www.apache.org/dist/libcloud.

Upgrading

If you have installed Libcloud using pip you can also use it to upgrade it:

pip install --upgrade apache-libcloud==0.13.3

Documentation

Regular and API documentation is available at https://libcloud.readthedocs.org/en/latest/.

Bugs / Issues

If you find any bug or issue, please report it on our issue tracker https://issues.apache.org/jira/browse/LIBCLOUD. Don't forget to attach an example and / or test which reproduces your problem.

Thanks

Thanks to everyone who contributed and made this release possible!

Full list of people who contributed to this release can be found in the CHANGES file.

Libcloud 0.11.1 released

This release fixes a possible SSL man-in-the-middle vulnerability inside the code which performs the SSL certificate validation. For more information about the vulnerability, please see the "Security" page - http://libcloud.apache.org/security.html.

Everyone using an older version is strongly encouraged to upgrade to this release.

Download

Libcloud 0.11.1 can be downloaded from http://libcloud.apache.org/downloads.html or installed using pip:

pip install apache-libcloud

It is possible that the file hasn't been synced to all the mirrors yet. If this is the case, please use the main Apache mirror - http://www.apache.org/dist/libcloud.

Upgrading

If you have installed Libcloud using pip you can also use it to upgrade it:

pip install --upgrade apache-libcloud

Upgrade notes

A page which describes backward incompatible or semi-incompatible changes and how to preserve the old behavior when this is possible can be found at http://libcloud.apache.org/upgrade-notes.html.

Documentation

API documentation can be found at http://libcloud.apache.org/apidocs/0.11.1/.

Bugs / Issues

If you find any bug or issue, please report it on our issue tracker https://issues.apache.org/jira/browse/LIBCLOUD. Don't forget to attach an example and / or test which reproduces your problem.

Thanks

Thanks to the researchers from the University of Texas at Austin (Martin Georgiev, Suman Jana and Vitaly Shmatikov) who discovered this vulnerability.

Source: release announcement.

Libcloud 0.4.2 released

The Apache Software Foundation and the Apache Libcloud Project are pleased to announce the release and immediate availability of version 0.4.2 of Apache Libcloud ("libcloud").

Apache Libcloud is a pure python client library for interacting with many of the popular cloud server providers. It was created to make it easy for developers to build products that work between any of the services that it supports.

Apache Libcloud is available for download from: http://incubator.apache.org/libcloud/downloads.html.

Major changes since the previous release:

  • New drivers for CloudSigma, Brightbox, Rackspace UK
  • Improvements to deployment capabilities
  • libcloud.security module for SSL certificate verification, see http://wiki.apache.org/incubator/LibcloudSSL