New Ganeti releases fixing a security issue (CVE-2009-4261)

48 views
Skip to first unread message

Iustin Pop

unread,
Dec 17, 2009, 11:10:25 AM12/17/09
to gan...@googlegroups.com, ganeti...@googlegroups.com
Hi,

We've just released new versions of Ganeti 1.2 and 2.0 (and a new
release candidate for 2.1), fixing a serious security issue
(CVE-2009-4261):
- http://ganeti.googlecode.com/files/ganeti-2.0.5.tar.gz
- http://ganeti.googlecode.com/files/ganeti-2.1.0~rc2.tar.gz
- http://ganeti.googlecode.com/files/ganeti-1.2.9.tar.gz

The problem relates to missing validation of iallocator names, and this
allows remote execution of arbitrary programs on the master node.

It is recommended to upgrade as soon as possible to the new versions, or
alternatively patching your current version with the following patches
from the Git repository:
- 2.0:
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=4fe80ef2ed1cda3a6357274eccafe5c1f21a5283
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=f95c81bf21c177f7e6a2c53ea0613034326329bd
- 1.2:
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=c899750fde9828d76526eed47935a46335124d88
- http://git.ganeti.org/?p=ganeti.git;a=commit;h=b0fc8c8943764d182fe2cc1876747ea2c2e4df09
- for 2.1 it's not possible to link directly to patches, it's
recommended to use the new archive (ganeti-2.1.0~rc2.tar.gz)

In case upgrade or patching is not immediately possible, you can
implement the following work-around measures:
- if you don't use any iallocator scripts, remove the ganeti
iallocator script directories (the list of directories present in
_autoconf.py as IALLOCATOR_SEARCH_PATH), e.g. "mv
/usr/lib/ganeti/iallocators /usr/lib/ganeti/iallocators.old" if you
have a single directory
- disabling any sudo access to the gnt-* commands
- firewalling the RAPI port (allowing only trusted hosts) or disabling
it either via rename of the binary or modification (note that just
stopping the 'ganeti-rapi' daemon is not enough since the watcher
will try to restart it)

Note that in general it is recommended that the RAPI port is not exposed
too widely.

Regards,
(iustin on behalf of) ganeti-team

Michael Hanselmann

unread,
Dec 17, 2009, 11:32:57 AM12/17/09
to gan...@googlegroups.com, ganeti...@googlegroups.com
2009/12/17 Iustin Pop <ius...@google.com>:

> We've just released new versions of Ganeti 1.2 and 2.0 (and a new
> release candidate for 2.1), fixing a serious security issue
> (CVE-2009-4261):
> […]

The oCERT advisory can be found at
<http://www.ocert.org/advisories/ocert-2009-019.html>.

Regards,
Michael

Lance Albertson

unread,
Dec 17, 2009, 12:08:23 PM12/17/09
to gan...@googlegroups.com

Just committed version bumps for those versions in Gentoo. Thanks for
the report.

--
Lance Albertson lance <at> osuosl.org
Systems Administrator / Architect Open Source Lab
Network Services Oregon State University
Work: 541-737-9975 PGP Key: 0x27F4B742
GPG Fingerprint 0423 92F3 544A 1282 5AB1 4D07 416F A15D 27F4 B742

signature.asc
Reply all
Reply to author
Forward
0 new messages