[Pkg-ganeti-devel] [ganeti] 03/03: Release 2.11.5-1
Guido Trotter
ultrotter at moszumanska.debian.org
Tue Aug 12 10:12:52 UTC 2014
This is an automated email from the git hooks/post-receive script.
ultrotter pushed a commit to branch master
in repository ganeti.
commit 55d14251fd485151e1e5898b2e47bc368b970edf
Author: Guido Trotter <ultrotter at debian.org>
Date: Mon Aug 11 15:51:33 2014 +0200
Release 2.11.5-1
---
debian/NEWS | 54 ++++++++++++++++++++++
debian/changelog | 10 ++++
.../0003-Disable-local-checks-during-build.patch | 2 +-
debian/patches/do-not-backup-export-dir.patch | 12 ++---
4 files changed, 69 insertions(+), 9 deletions(-)
diff --git a/debian/NEWS b/debian/NEWS
index 3e9f4e6..f0c8eab 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,57 @@
+ganeti (2.11.5-1) unstable; urgency=high
+
+ Security Release.
+
+ Please read the text of the advisory, quoted below, for more information:
+
+ Ganeti, an open source virtualisation manager, suffered from an insecure file
+ permission vulnerability that leads to sensitive information disclosure. This
+ issue was fixed with versions 2.10.7 and 2.11.5.
+
+ The Ganeti upgrade command ‘gnt-cluster upgrade’ creates an archive of the
+ current configuration of the cluster (e.g. the contents of “/var/lib/ganeti”).
+ The archive is named following the pattern ganet*.tar and is written to
+ “/var/lib/”. Such archives were written with too lax permissions that made
+ it possible to read them as unprivileged user, on the master node.
+
+ The configuration archive contains sensitive information, including SSL keys
+ for the inter-node communication via RPC as well as the credentials for the
+ remote API (RAPI). Such information can be used to control various operations
+ of the cluster, including shutting down and removing instances and nodes from
+ the cluster, or assuming the identity of the cluster in a MITM attack.
+
+ This vulnerability only affects Ganeti clusters meeting the following
+ criteria:
+ * The cluster is running Ganeti version 2.10.0 or higher.
+ * The upgrade command was run, for example when upgrading from 2.10 to 2.11.
+ * Unprivileged users have access to the host machines and in particular to
+ the cluster master node.
+
+ With the fixed release, the upgrade command will set the permissions of the
+ archives properly. However, in case previous versions have created an unsafe
+ archive already, the following mitigations are advised:
+ * Remove the access to the archive for unprivileged users (for example by
+ running “chmod 400 /var/lib/ganeti*.tar”).
+ * Renew the SSL keys by running “gnt-cluster renew-crypto”. You may need to
+ pass the --new-cluster-certificate, --new-confd-hmac-key,
+ --new-rapi-certificate, --new-spice-certificate,
+ --new-cluster-domain-secret flags, and (for version 2.11 only)
+ the --new-node-certificates flag.
+ * Renew the RAPI credentials by editing the /var/lib/ganeti/rapi_users file.
+ * Update RAPI, confd and other clients with the new secrets and
+ certificates, if applicable.
+ * Look for any other information regarded as secret in /var/lib/ganeti and
+ change it. For example VNC and SPICE passwords are not by default kept
+ there, but could, if Ganeti is so configured.
+
+ This vulnerability will be published as oCert-2014-006 on ocert.org; CVE ID is
+ pending. Thanks to Apollon Oikonomopoulos for reporting and fixing this issue.
+
+ Affected versions: 2.10.0 - 2.10.6, 2.11.0 - 2.11.4
+ Fixed versions: 2.10.7, 2.11.5
+
+ -- Guido Trotter <ultrotter at debian.org> Mon, 11 Aug 2014 15:14:40 +0200
+
ganeti (2.11.2-1) unstable; urgency=medium
Ganeti versions 2.10 and onwards support a coordinated cluster-wide
diff --git a/debian/changelog b/debian/changelog
index decbc07..f2f05fe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+ganeti (2.11.5-1) unstable; urgency=high
+
+ * New upstream release
+ * Fixes security vulnerability oCERT-2014-006, pending CVE (see NEWS.Debian)
+ * Other minor fixes from 2.10.7 are included in this release
+ * Update conflictign patch do-not-backup-export-dir.patch
+ * no-op refresh (line update) for 0003-Disable-local-checks-during-build.patch
+
+ -- Guido Trotter <ultrotter at debian.org> Mon, 11 Aug 2014 15:11:16 +0200
+
ganeti (2.11.3-2) unstable; urgency=medium
* Do not backup exported instance data from /var/lib/ganeti/export on
diff --git a/debian/patches/0003-Disable-local-checks-during-build.patch b/debian/patches/0003-Disable-local-checks-during-build.patch
index cd94986..c7d26c2 100644
--- a/debian/patches/0003-Disable-local-checks-during-build.patch
+++ b/debian/patches/0003-Disable-local-checks-during-build.patch
@@ -13,7 +13,7 @@ Last-Update: 2013-07-12
--- a/Makefile.in
+++ b/Makefile.in
-@@ -3226,7 +3226,7 @@
+@@ -3241,7 +3241,7 @@
exit 1; } >&2
check-am: all-am
$(MAKE) $(AM_MAKEFLAGS) $(check_SCRIPTS)
diff --git a/debian/patches/do-not-backup-export-dir.patch b/debian/patches/do-not-backup-export-dir.patch
index 0e0f39e..f45aab0 100644
--- a/debian/patches/do-not-backup-export-dir.patch
+++ b/debian/patches/do-not-backup-export-dir.patch
@@ -12,16 +12,12 @@ Date: Fri Jul 11 12:37:12 2014 +0300
since 2.0.1-1 and changing the location now will break imports in
existing setups, so it's best to just skip backing up DATADIR/export.
-diff --git a/lib/client/gnt_cluster.py b/lib/client/gnt_cluster.py
-index 3e63d3a..04045d8 100644
--- a/lib/client/gnt_cluster.py
+++ b/lib/client/gnt_cluster.py
-@@ -1880,7 +1880,8 @@ def _UpgradeBeforeConfigurationChange(versionstring):
- backuptar = os.path.join(pathutils.LOCALSTATEDIR,
- "lib/ganeti%d.tar" % time.time())
- ToStdout("Backing up configuration as %s" % backuptar)
-- if not _RunCommandAndReport(["tar", "cf", backuptar,
-+ if not _RunCommandAndReport(["tar", "-cf", backuptar,
+@@ -1888,6 +1888,7 @@
+ (_, tmp_name) = tempfile.mkstemp(prefix=backuptar, dir=pathutils.BACKUP_DIR)
+ if not _RunCommandAndReport(["tar", "-cf", tmp_name,
+ "--exclude=queue/archive",
+ "--exclude=export",
pathutils.DATA_DIR]):
return (False, rollback)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git
More information about the Pkg-ganeti-devel
mailing list