Security Update Archive

From OSNEXUS Online Documentation Site
Revision as of 18:02, 21 March 2019 by Qadmin (talk | contribs) (Created page with " == Linux Base OS Security Fixes / Notifications == Security notifications for QuantaStor base OS packages are now available at the OSNEXUS Security Notices site (http://serv...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Linux Base OS Security Fixes / Notifications

Security notifications for QuantaStor base OS packages are now available at the OSNEXUS Security Notices site (http://services.osnexus.com/security)

Core Product Security Updates

QuantaStor 4.5.0 (March 9th 2018)

  • Kernel 4.4.0-112 includes fixes for the below Security items:
    • Spectre - Variant 1 - CVE-2017-5753
    • Meltdown - Variant 3 - CVE-2017-5754
  • Note: Spectre Variant 2 CVE-2017-5715 is a firmware code issue and can only be addressed with updated microcode in a Motherboard BIOS or firmware update from the Processor manufacturer.

QuantaStor 4.3.1 (June 30th 2017)

  • Fixed a Security issue with bad password responses. Fixes items found related to CVE-2017-9978
  • Fixed the Rest API response for when a method is unsupported. Fixes items found related to CVE-2017-9979

QuantaStor 4.1.5 (Jan 18th 2017)

  • Fixed: Addressed SSL concern CVE-2016-2183 (SWEET32) with updated qsciphers file to remove DES and 3DES ciphers.
  • Fixed: disabled tomcat web port 8443.

QuantaStor 4.0.8 (Nov 18th 2016)

  • Adds new 3.19.0-73 Linux kernel that includes updates and a security patch to address CVE-2016-5195 (Dirty COW)

QuantaStor 4.0.0 (March 31st 2016)

  • Fixed: Addressed CVE-2015-4000 (Logjam) in the Web Server Package with increase of the default Modulus length to 2048-bit and removal of weak DHE Diffie-Hellman ciphers.
  • Added: New QuantaStor users created via the Users and Groups section of the Web Manager or 'qs user-add' CLI command will now have the same User ID on all QuantaStor nodes. The new UID range is 100000000-199999999.
  • Fixed: An unexpected web request to the Web Server will now correctly route to a 404 error page.

QuantaStor 3.15.1 (May 28th 2015)

  • adds firewall support for disabling access to unused storage services
  • fix to support creation of roles with no permissions

QuantaStor 3.15.0 (May 1st 2015)

  • adds support for customizing the pem files for all services (core qs_service, REST service, and Tomcat)
  • adds support for customizing the SSL ciphers, applies strong cipher limits automatically
  • adds SSL cert generation script which deposits custom certs into /var/opt/osnexus/quantastor/ssl which are automatically picked up by REST and core services
  • adds script command to upgrade from Java 6 to Java 7 (qs-util java7upgrade), which allows browsers to connect via https using stronger ciphers / TLS 1.2
  • fix to disable all use of SSLv3 across all internal services (Core service, Tomcat, REST API service) in favor of TLS for improved security / HIPAA compliance
  • fix to allow removal of duplicate 'admin' users
  • fix to remove duplicate user entries in Samba config when user assigned as 'Admin' on a share
  • fix to password length enforcement (8-34 char)

QuantaStor 3.12.2 (July 22nd 2014)

  • fix to set password error message to show 8 to 40 characters required
  • fix to update user password changes to all grid nodes

QuantaStor 3.12.0 (June 27th 2014)

  • adds new https keystore for web management interface (be sure to clear your browser cache)
  • adds secure mode 'qs-util disablehttp' to enable/disable http access (port 80) to force admins to use https for web management
  • fix to core service to allow for changing openssl pem files

QuantaStor 3.9.3 (March 7th 2014)

  • fix to AD domain leave operation to remove AD computer entry
Retrieved from "https://wiki.osnexus.com/index.php?title=Security_Update_Archive&oldid=11539"