This release fixes a security issue with a potential leak of data contained on a destroyed DigitalOcean node. Only users who are using a DigitalOcean driver are affected.

Details about the vulnerability

DigitalOcean recently changed the default API behavior from scrub to non-scrub when destroying a VM without notifying the customers and API consumers.

Libcloud prior to this release doesn’t explicitly send “scrub_data” query parameter when destroying a node. This means nodes which are destroyed using Libcloud are vulnerable to later customers stealing data contained on them.

This release fixes that by always sending “scrub_data” query parameter when destroying a DigitalOcean node.

If you are using a DigitalOcean driver, you are strongly encouraged to upgrade (or downgrade if you are using 0.14.0-beta3 beta release) to this release.

For more information, please see the Security page.

Download

Libcloud 0.13.3 can be downloaded from https://libcloud.apache.org/downloads.html

or installed using pip:

pip install apache-libcloud==0.13.3

It is possible that the file hasn’t been synced to all the mirrors yet. If this is the case, please use the main Apache mirror - https://www.apache.org/dist/libcloud.

Upgrading

If you have installed Libcloud using pip you can also use it to upgrade it:

pip install --upgrade apache-libcloud==0.13.3

Documentation

Regular and API documentation is available at https://libcloud.readthedocs.org/en/latest/.

Bugs / Issues

If you find any bug or issue, please report it on our issue tracker https://issues.apache.org/jira/browse/LIBCLOUD. Don’t forget to attach an example and / or test which reproduces your problem.

Thanks

Thanks to everyone who contributed and made this release possible!

Full list of people who contributed to this release can be found in the CHANGES file.