Difference between revisions of "Security Updates"

From OSNEXUS Online Documentation Site
Jump to: navigation, search
m (OS Security Notifications - Q1/2015)
m (Product Related Security Updates)
Line 51: Line 51:
 
</pre>
 
</pre>
  
== Product Related Security Updates ==
+
== Core Product Security Updates ==
  
 
=== QuantaStor 3.15.1 (May 28th 2015) ===
 
=== QuantaStor 3.15.1 (May 28th 2015) ===

Revision as of 12:14, 28 May 2015

QuantaStor uses the Ubuntu Server LTS linux distributions as a Linux OS basis. QuantaStor also utilizes the security patches packaged by Canonical to address the needs of customers to patch various parts of the operating system to ensure security and stability of the system.

QuantaStor 3.x Security Notifications

Please see the security notifications and latest detailed information on Ubuntu 12.04 LTS: http://www.ubuntu.com/usn/precise/

We recommend customers perform periodic auditing of their systems and install any and all security updates. It is highly recommended that systems are updated to the latest patched before being initially deployed.

To apply these updates you should login to the system as the administrator 'qadmin' account and run the following commands:

sudo apt-get update
sudo apt-get upgrade

Pertinent Linux Security Notifications - Q1/2015

OpenSSL Security Updates and fix for Heartbleed CVE-2014-0076, CVE-2014-0160 and POODLE CVE-2014-3566 and OpenSSL CVE-2014-3513, CVE-2014-3568, CVE-2014-3567

Ubuntu Security update notifications:

http://www.ubuntu.com/usn/usn-2165-1/

http://www.ubuntu.com/usn/usn-2367-1/

http://www.ubuntu.com/usn/usn-2385-1/

You can upgrade your OpenSSL release to the latest which includes the latest fixes with the below console commands as the 'qadmin' administrative user:

sudo apt-get update
sudo apt-get install openssl libssl1.0.0

Bash Security Updates 'SHELLSHOCK' CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

Ubuntu Security update notifications:

http://www.ubuntu.com/usn/usn-2362-1/

http://www.ubuntu.com/usn/usn-2363-2/

http://www.ubuntu.com/usn/usn-2364-1/

You can upgrade your Bash release to the latest which includes the security fixes for bash with the below console commands as the 'qadmin' administrative user:

sudo apt-get update
sudo apt-get install bash

Core Product Security Updates

QuantaStor 3.15.1 (May 28th 2015)

  • adds firewall support for disabling access to unused storage services
  • fix to support creation of roles with no permissions

QuantaStor 3.15.0 (May 1st 2015)

  • adds support for customizing the pem files for all services (core qs_service, REST service, and Tomcat)
  • adds support for customizing the SSL ciphers, applies strong cipher limits automatically
  • adds SSL cert generation script which deposits custom certs into /var/opt/osnexus/quantastor/ssl which are automatically picked up by REST and core services
  • adds script command to upgrade from Java 6 to Java 7 (qs-util java7upgrade), which allows browsers to connect via https using stronger ciphers / TLS 1.2
  • fix to disable all use of SSLv3 across all internal services (Core service, Tomcat, REST API service) in favor of TLS for improved security / HIPAA compliance
  • fix to allow removal of duplicate 'admin' users
  • fix to remove duplicate user entries in Samba config when user assigned as 'Admin' on a share
  • fix to password length enforcement (8-34 char)

QuantaStor 3.12.2 (July 22nd 2014)

  • fix to set password error message to show 8 to 40 characters required
  • fix to update user password changes to all grid nodes

QuantaStor 3.12.0 (June 27th 2014)

  • adds new https keystore for web management interface (be sure to clear your browser cache)
  • adds secure mode 'qs-util disablehttp' to enable/disable http access (port 80) to force admins to use https for web management
  • fix to core service to allow for changing openssl pem files

QuantaStor 3.9.3 (March 7th 2014)

  • fix to AD domain leave operation to remove AD computer entry