| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Jan 2014 17:56:20 +0100 From: Tomaz Muraus <tomaz@...che.org> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: [CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node Severity: Low Vendor: Apache Software Foundation Project: Apache Libcloud (http://libcloud.apache.org/) Affected Versions: Apache Libcloud 0.12.3 to 0.13.3 (version prior to 0.12.3 don't include a DigitalOcean driver) Description: DigitalOcean recently changed the default API behavior from scrub to non-scrub when destroying a VM. Libcloud doesn't explicitly send "scrub_data" query parameter when destroying a node. This means nodes which are destroyed using Libcloud are vulnerable to later customers stealing data contained on them. Note: Only users who are using DigitalOcean driver are affected by this issue. References: - - http://libcloud.apache.org/security.html - - https://digitalocean.com/blog_posts/transparency-regarding-data-security - - https://github.com/fog/fog/issues/2525 Mitigation: This vulnerability has been fixed in version 0.13.3. Users who use DigitalOcean driver are strongly encouraged to upgrade to this release. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQJ8BAEBCgBmBQJSxEgAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5OTc4MjhEQzYyRjc1OUNFQTE4OUQ2NUUy QzA3NTRCMkNFMDY5MkYzAAoJECwHVLLOBpLzbRcQAJqSobMiGfjpBQCGhda8zW62 6aPEjyuStv9FZ0/eLN6bxPCV8LdxOYy6M1oehr3ntT56Dd/lZ9+gwJunTH3UqWmq ZqiwmME8JLhNTLC8tab+yE82lQlck2iXgTaJ5pZfXELFPiTEZ+DAQN26CpkA8bLO cXAlMJkskPS6BkkgLDtLfO9RHe8T0QsEcHxQSwCpursiIlQEfjG3tQqG21KEvSm6 Q31qv87cZrG2pQPXEQ7Ir59E7Yos/7vEnG57wY/Xj94wKeKpHxnBUUL37BW+/tb1 qP29zZUol628HxowsGCN7xJPlXrcc4wc37rWja/UTcBWZGUk4EKTX9xXVs1jKuPB lJqlGkEHglRcFI1AJLv9VkPBj77z6aEFu89bbJn8aZwAmPwnIBLZiJGp0LvqlVap RYgV8SdLb1D4GxTDJJN76PLghMJdo1mEUwLbinr8JGH/MXzTkTUwgMCv7ks8ww7Q hZp40rKDY+Su7VML6ONcnnvZTlAxCJM2lexD0svV8e3oXf/8lUzlnHCHQH8/TIrV 6DV4mj7Yg+HiR9Tj8+AMAAmC5l88Byl/+sJjAEdWBTKjzwiey5ocDX5s/aL12o+9 JX7vnFOWaGWf0pMeGuCl2gqtG+jFoEkr7BU7d0k7TvVFTQ0jTrrhVv9rbdIiJbK4 HXvdPzy/CBQt0tUGc6UT =8Jgs -----END PGP SIGNATURE-----
Powered by blists - more mailing lists