Account Options

  1. Sign in
The old Google Groups will be going away soon.
Switch to the new Google Groups.
Google Groups Home
« Groups Home
ganeti
Home
+ new post
About this group
Join this group
New Ganeti releases fixing a security issue (CVE-2009-4261)
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Iustin Pop  
View profile  
 More options Dec 17 2009, 11:10 am
From: Iustin Pop <ius...@google.com>
Date: Thu, 17 Dec 2009 17:10:25 +0100
Local: Thurs, Dec 17 2009 11:10 am
Subject: New Ganeti releases fixing a security issue (CVE-2009-4261)
Print | Individual message | Show original | Report this message | Find messages by this author
Hi,

We've just released new versions of Ganeti 1.2 and 2.0 (and a new
release candidate for 2.1), fixing a serious security issue
(CVE-2009-4261):
  - http://ganeti.googlecode.com/files/ganeti-2.0.5.tar.gz
  - http://ganeti.googlecode.com/files/ganeti-2.1.0~rc2.tar.gz
  - http://ganeti.googlecode.com/files/ganeti-1.2.9.tar.gz

The problem relates to missing validation of iallocator names, and this
allows remote execution of arbitrary programs on the master node.

It is recommended to upgrade as soon as possible to the new versions, or
alternatively patching your current version with the following patches
from the Git repository:
  - 2.0:
    - http://git.ganeti.org/?p=ganeti.git;a=commit;h=4fe80ef2ed1cda3a635727...
    - http://git.ganeti.org/?p=ganeti.git;a=commit;h=f95c81bf21c177f7e6a2c5...
  - 1.2:
    - http://git.ganeti.org/?p=ganeti.git;a=commit;h=c899750fde9828d76526ee...
    - http://git.ganeti.org/?p=ganeti.git;a=commit;h=b0fc8c8943764d182fe2cc...
  - for 2.1 it's not possible to link directly to patches, it's
    recommended to use the new archive (ganeti-2.1.0~rc2.tar.gz)

In case upgrade or patching is not immediately possible, you can
implement the following work-around measures:
  - if you don't use any iallocator scripts, remove the ganeti
    iallocator script directories (the list of directories present in
    _autoconf.py as IALLOCATOR_SEARCH_PATH), e.g. "mv
    /usr/lib/ganeti/iallocators /usr/lib/ganeti/iallocators.old" if you
    have a single directory
  - disabling any sudo access to the gnt-* commands
  - firewalling the RAPI port (allowing only trusted hosts) or disabling
    it either via rename of the binary or modification (note that just
    stopping the 'ganeti-rapi' daemon is not enough since the watcher
    will try to restart it)

Note that in general it is recommended that the RAPI port is not exposed
too widely.

Regards,
(iustin on behalf of) ganeti-team


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Michael Hanselmann  
View profile  
 More options Dec 17 2009, 11:32 am
From: Michael Hanselmann <han...@google.com>
Date: Thu, 17 Dec 2009 17:32:57 +0100
Local: Thurs, Dec 17 2009 11:32 am
Subject: Re: New Ganeti releases fixing a security issue (CVE-2009-4261)
Print | Individual message | Show original | Report this message | Find messages by this author
2009/12/17 Iustin Pop <ius...@google.com>:

> We've just released new versions of Ganeti 1.2 and 2.0 (and a new
> release candidate for 2.1), fixing a serious security issue
> (CVE-2009-4261):
> […]

The oCERT advisory can be found at
<http://www.ocert.org/advisories/ocert-2009-019.html>.

Regards,
Michael


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Lance Albertson  
View profile  
 More options Dec 17 2009, 12:08 pm
From: Lance Albertson <la...@osuosl.org>
Date: Thu, 17 Dec 2009 09:08:23 -0800
Local: Thurs, Dec 17 2009 12:08 pm
Subject: Re: New Ganeti releases fixing a security issue (CVE-2009-4261)
Print | Individual message | Show original | Report this message | Find messages by this author

On 12/17/2009 08:32 AM, Michael Hanselmann wrote:

> 2009/12/17 Iustin Pop <ius...@google.com>:
>> We've just released new versions of Ganeti 1.2 and 2.0 (and a new
>> release candidate for 2.1), fixing a serious security issue
>> (CVE-2009-4261):
>> […]

> The oCERT advisory can be found at
> <http://www.ocert.org/advisories/ocert-2009-019.html>.

Just committed version bumps for those versions in Gentoo. Thanks for
the report.

--
Lance Albertson                                    lance <at> osuosl.org
Systems Administrator / Architect                        Open Source Lab
Network Services                                 Oregon State University
Work: 541-737-9975                                   PGP Key: 0x27F4B742
GPG Fingerprint       0423 92F3 544A 1282 5AB1  4D07 416F A15D 27F4 B742

  signature.asc
< 1K Download

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google