On Sat, Jun 01, 2013 at 01:35:06PM -0400, Chip Childers wrote: > The vote has *passed* with the following results (binding PMC votes > indicated with a "*" next to their name: > > +1 : Edison*, Hugo*, Marcus*, David*, Wido*, Ilya, Animesh, Milamber, > Joe*, Simon, Prasanna* > -0 : John > -1 : Ove > > I'm going to proceed with moving the release into the distribution repo > now, and will do the DEB / RPM builds to push Wido's repo site / push > cloudmonkey to pypi on Monday. > > I do note Ove's -1, due to upstream Tomcat changes. I know Prasanna > mentioned that he was going to check with that project to see why the > change happened. We will need to discuss what (if anything) this > project should do to resolve the issue for users. This issue will block > users of all prior versions as well, so it's nothing *in* our code that > causes the bug. This is my logic for not cancelling the vote. >
I couldn't find a reasonably good solution for this. The vulnerability is fixed in Tomcat more than a year ago and it was applied only recently, as Ove pointed, in the distros. While this doesn't affect those upgrading, it is problematic for those installing CloudStack afresh. Any version - 3.0.2, ($insert_commercial_version), 4.0, 4.0.1, 4.0.2, 4.1 and even the 4.2-SNAPSHOT RPMs. I've applied a fix on master (54127f8) that I think is reasonable by changing the permissions on the file so it is owned by user `cloud` which is the user cloudstack-management will run as. To understand why this is not an obvious hack please see [1]. If there's an even elegant way, please let the list know. I'm also not quite sure how and when the deb packages will be affected. It looked like the debian users haven't reported this problem yet. We started seeing issues of this right after May 25th, should've paid more attention then (/me facepalm) It's an awkward situation, so I'm not sure what will be the next course of action since our src release is ready to be published. The options are: a) Publish workaround of giving `cloud` permissions to catalina.out b) Release a new source package with fix cherry-picked to 4.1 and whereever applicable. b. shouldn't take longer - just testing the packaging should be sufficient. CloudStack's overall functionality is satisfactory from the tests done so far. [1] http://markmail.org/thread/wuknrv3ml5lfdq7c -- Prasanna., ------------------------ Powered by BigRock.com
