This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch staging-site
in repository https://gitbox.apache.org/repos/asf/cloudstack-www.git
The following commit(s) were added to refs/heads/staging-site by this push:
new 698bb7855 new advisory blog & release updates
698bb7855 is described below
commit 698bb78552643d8c1ca26e386691a7bf11715836
Author: Rohit Yadav <rohit.ya...@shapeblue.com>
AuthorDate: Tue Aug 6 16:46:06 2024 +0530
new advisory blog & release updates
Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com>
---
.../banner.png | Bin 0 -> 368443 bytes
.../index.md | 91 +++++++++++++++++++++
blog/authors.yml | 6 ++
src/components/Releases/index.tsx | 2 +
src/pages/downloads.mdx | 32 ++++----
src/pages/index.tsx | 8 +-
6 files changed, 119 insertions(+), 20 deletions(-)
diff --git
a/blog/2024-08-06-security-release-advisory-4.19.1.1-4.18.2.3/banner.png
b/blog/2024-08-06-security-release-advisory-4.19.1.1-4.18.2.3/banner.png
new file mode 100644
index 000000000..59d9b026d
Binary files /dev/null and
b/blog/2024-08-06-security-release-advisory-4.19.1.1-4.18.2.3/banner.png differ
diff --git
a/blog/2024-08-06-security-release-advisory-4.19.1.1-4.18.2.3/index.md
b/blog/2024-08-06-security-release-advisory-4.19.1.1-4.18.2.3/index.md
new file mode 100644
index 000000000..09e6d7957
--- /dev/null
+++ b/blog/2024-08-06-security-release-advisory-4.19.1.1-4.18.2.3/index.md
@@ -0,0 +1,91 @@
+---
+layout: post
+title: "[ADVISORY] Apache CloudStack LTS Security Releases 4.18.2.3 and
4.19.1.1"
+tags: [announcement]
+authors: [nicolas]
+slug: security-release-advisory-4.19.1.1-4.18.2.3
+---
+
+[](/blog/security-release-advisory-4.19.1.1-4.18.2.3)
+
+Apache CloudStack project announces the release of LTS security releases
+[4.18.2.3](https://github.com/apache/cloudstack/releases/tag/4.18.2.3) and
+[4.19.1.1](https://github.com/apache/cloudstack/releases/tag/4.19.1.1) that
+address CVE-2024-42062 and CVE-2024-42222, both of severity rating 'critical',
+explained below.
+
+<!-- truncate -->
+
+## [CVE-2024-42062](https://www.cve.org/CVERecord?id=CVE-2024-42062): User Key
Exposure to Domain Admins
+
+CloudStack account-users by default use username and password based
+authentication for API and UI access. Account-users can generate and
+register randomised API and secret keys and use them for the purpose
+of API-based automation and integrations. Due to access permission
+validation issue that affects Apache CloudStack versions 4.10.0 upto
+4.19.1.0, domain admin accounts were found to be able to query all
+registered account-users API and secret keys in an environment
+including that of a root admin. An attacker who has domain admin
+access, can exploit this to gain root admin and other-account
+privileges and perform malicious operations that can result in
+compromise of resources integrity and confidentiality, data loss,
+denial of service and availability of CloudStack managed
+infrastructure.
+
+## [CVE-2024-42222](https://www.cve.org/CVERecord?id=CVE-2024-42222):
Unauthorised Network List Access
+
+In Apache CloudStack 4.19.1.0, a regression in the network listing API
+allows unauthorised list access of network details for domain admin
+and normal user accounts. This vulnerability compromises tenant
+isolation, potentially leading to unauthorised access to network
+details, configurations and data.
+
+## Credits
+
+The CVEs are credited to the following reporters:
+
+- CVE-2024-42062:
+ - Fabricio Duarte
+
+- CVE-2024-42222:
+ - Christian Gross of Netcloud AG
+ - Midhun Jose
+
+## Affected versions:
+
+- CVE-2024-42062 affects the following versions:
+ - Apache CloudStack 4.10.0 through 4.18.2.2
+ - Apache CloudStack 4.19.0.0 through 4.19.1.0
+
+- CVE-2024-42222 affect the following version:
+ - Apache CloudStack 4.19.1.0
+
+## Resolution
+
+Users are recommended to upgrade to version 4.18.2.3, 4.19.1.1 or later, which
+addresses these issues. Additionally, users on a version older than 4.19.1.0
are
+advised to skip 4.19.1.0 and upgrade to 4.19.1.1 instead. To maintain the
+security of their environment, users are advised to regenerate all existing
user
+keys.
+
+## Downloads and Documentation
+
+The official source code for the 4.18.2.3 and 4.19.1.1 releases can be
+downloaded from the project downloads page:
+
+https://cloudstack.apache.org/downloads
+
+The 4.18.2.3 and 4.19.1.1 release notes can be found at:
+- https://docs.cloudstack.apache.org/en/4.18.2.3/releasenotes/about.html
+- https://docs.cloudstack.apache.org/en/4.19.1.1/releasenotes/about.html
+
+In addition to the official source code release, individual contributors
+have also made release packages available on the Apache CloudStack
+download page, and available at:
+
+- https://download.cloudstack.org/el/7/
+- https://download.cloudstack.org/el/8/
+- https://download.cloudstack.org/el/9/
+- https://download.cloudstack.org/suse/15/
+- https://download.cloudstack.org/ubuntu/dists/
+- https://www.shapeblue.com/cloudstack-packages/
diff --git a/blog/authors.yml b/blog/authors.yml
index 562274bae..d8a6c18e6 100644
--- a/blog/authors.yml
+++ b/blog/authors.yml
@@ -33,3 +33,9 @@ shwstppr:
title: PMC Member
url: https://github.com/shwstppr
image_url: https://github.com/shwstppr.png
+
+nicolas:
+ name: Nicolas Vazquez
+ title: PMC Member
+ url: https://github.com/nvazquez
+ image_url: https://github.com/nvazquez.png
diff --git a/src/components/Releases/index.tsx
b/src/components/Releases/index.tsx
index 59548cffd..84a2f847c 100644
--- a/src/components/Releases/index.tsx
+++ b/src/components/Releases/index.tsx
@@ -1,10 +1,12 @@
import React from "react";
const versions = [
+ '4.19.1.1',
'4.19.1.0',
'4.19.0.2',
'4.19.0.1',
'4.19.0.0',
+ '4.18.2.3',
'4.18.2.2',
'4.18.2.1',
'4.18.2.0',
diff --git a/src/pages/downloads.mdx b/src/pages/downloads.mdx
index 787430a7c..655088a26 100644
--- a/src/pages/downloads.mdx
+++ b/src/pages/downloads.mdx
@@ -18,42 +18,42 @@ releases](https://github.com/apache/cloudstack/releases).
### Source Releases
-Apache CloudStack's most recent release is `4.19.1.0`. This is current
+Apache CloudStack's most recent release is `4.19.1.1`. This is current
CloudStack LTS release.
-<a class="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.1.0/apache-cloudstack-4.19.1.0-src.tar.bz2";>Get
the 4.19.1.0 Source</a>
+<a class="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.1.1/apache-cloudstack-4.19.1.1-src.tar.bz2";>Get
the 4.19.1.1 Source</a>
<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a>
-<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.0/apache-cloudstack-4.19.1.0-src.tar.bz2.asc";>PGP</a>
-<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.0/apache-cloudstack-4.19.1.0-src.tar.bz2.sha512";>SHA512</a>
+<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.1/apache-cloudstack-4.19.1.1-src.tar.bz2.asc";>PGP</a>
+<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.19.1.1/apache-cloudstack-4.19.1.1-src.tar.bz2.sha512";>SHA512</a>
<br/><br/>
-Full release notes can be found in the version [4.19.1.0 Release
-Notes](https://docs.cloudstack.apache.org/en/4.19.1.0/releasenotes/) website.
+Full release notes can be found in the version [4.19.1.1 Release
+Notes](https://docs.cloudstack.apache.org/en/4.19.1.1/releasenotes/) website.
Instructions for building from source and installing Apache CloudStack can be
found in the [Installation
-Guide](https://docs.cloudstack.apache.org/en/4.19.1.0/installguide/).
+Guide](https://docs.cloudstack.apache.org/en/4.19.1.1/installguide/).
Instructions for building from source and upgrading from a previous version of
-CloudStack to Apache CloudStack 4.19.1.0 can be found in the upgrade section of
+CloudStack to Apache CloudStack 4.19.1.1 can be found in the upgrade section of
the Release Notes (see above).
-The latest CloudStack LTS maintenance release is `4.18.2.2` as part of the
+The latest CloudStack LTS maintenance release is `4.18.2.3` as part of the
previous LTS release.
-<a class="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.2/apache-cloudstack-4.18.2.2-src.tar.bz2";>Get
the 4.18.2.2 Source</a>
+<a class="button button--primary button--lg"
href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.3/apache-cloudstack-4.18.2.3-src.tar.bz2";>Get
the 4.18.2.3 Source</a>
<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a>
-<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.2/apache-cloudstack-4.18.2.2-src.tar.bz2.asc";>PGP</a>
-<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.2/apache-cloudstack-4.18.2.2-src.tar.bz2.sha512";>SHA512</a>
+<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.3/apache-cloudstack-4.18.2.3-src.tar.bz2.asc";>PGP</a>
+<a class="button button--secondary button--sm"
href="https://downloads.apache.org/cloudstack/releases/4.18.2.3/apache-cloudstack-4.18.2.3-src.tar.bz2.sha512";>SHA512</a>
<br/><br/>
-Full release notes can be found in the version [4.18.2.2 Release
-Notes](https://docs.cloudstack.apache.org/en/4.18.2.2/releasenotes/) website.
+Full release notes can be found in the version [4.18.2.3 Release
+Notes](https://docs.cloudstack.apache.org/en/4.18.2.3/releasenotes/) website.
Instructions for building from source and installing Apache CloudStack can be
found in the [Installation
-Guide](https://docs.cloudstack.apache.org/en/4.18.2.2/installguide/).
+Guide](https://docs.cloudstack.apache.org/en/4.18.2.3/installguide/).
Instructions for building from source and upgrading from a previous version of
-CloudStack to Apache CloudStack 4.18.2.2 can be found in the upgrade section of
+CloudStack to Apache CloudStack 4.18.2.3 can be found in the upgrade section of
the Release Notes (see above).
### Community Packages
diff --git a/src/pages/index.tsx b/src/pages/index.tsx
index a9b847f7b..49f50977f 100644
--- a/src/pages/index.tsx
+++ b/src/pages/index.tsx
@@ -26,8 +26,8 @@ Apache CloudStack™ is an open-source software system
designed to deploy and m
<div class="center-buttons">
<a href="downloads" class="btn btn-light btn-size">Download</a>
- <a href="https://docs.cloudstack.apache.org/en/4.19.1.0/";
target="_blank" class="btn btn-outline-light btn-size">Documentation</a>
- <p class="small mt-3">Apache CloudStack 4.19.1.0 is out!</p>
+ <a href="https://docs.cloudstack.apache.org/en/4.19.1.1/";
target="_blank" class="btn btn-outline-light btn-size">Documentation</a>
+ <p class="small mt-3">Apache CloudStack 4.19.1.1 is out!</p>
</div>
</div>
<div class="col-lg-7"><img src="/img/CloudStack_monkey_cloud.png"
class="img-fluid" alt=""/></div>
@@ -219,10 +219,10 @@ specific infrastructure.
<div class="col col-lg-5">
<h2 class="section-title mb-4 margin-second">Latest
Release</h2>
<div class="center-buttons">
- <p class="px18">Apache CloudStack 4.19.1.0 is out!<br/>This
is the latest LTS release.</p>
+ <p class="px18">Apache CloudStack 4.19.1.1 is out!<br/>This
is the latest LTS release.</p>
<a href="downloads" class="btn btn-primary
btn-size">Download</a>
- <a href="https://docs.cloudstack.apache.org/en/4.19.1.0/";
target="_blank" class="btn btn-outline-secondary btn-size">Documentation</a>
+ <a href="https://docs.cloudstack.apache.org/en/4.19.1.1/";
target="_blank" class="btn btn-outline-secondary btn-size">Documentation</a>
</div>
</div>
<div class="col-lg-7"><img
src="/img/CloudStack_release_illustration.png" class="img-fluid img-release"
alt=""/></div>
