Security Updates

From OSNEXUS Online Documentation Site
Revision as of 07:26, 4 June 2015 by Qadmin (Talk | contribs)

Jump to: navigation, search

QuantaStor uses the Ubuntu Server LTS linux distributions as a Linux OS basis. QuantaStor also utilizes the security patches packaged by Canonical to address the needs of customers to patch various parts of the operating system to ensure security and stability of the system.

QuantaStor 3.x Security Notifications

On this page we maintain a summary of all the product changes made to QuantaStor which are security related and we post specific notices about Linux security issues that effect packages distributed with QuantaStor such as the openssl libraries.

For details on the all the latest security notifications for the Ubuntu LTS release used by QuantaStor please see (http://www.ubuntu.com/usn/precise/). We recommend that appliance administrators perform periodic auditing of their systems and install any and all security updates. It is highly recommended that systems are updated to the latest patched before being initially deployed. To apply the latest updates including security updates you should login to the system as the administrator 'qadmin' account and run the following commands:

sudo apt-get update
sudo apt-get upgrade

Linux Base OS Security Fixes / Notifications

Date Vulnerability USN References
05/21/2015 FUSE vulnerability USN-2617-1 CVE-2015-3202
05/12/2015 OpenSSL update USN-2606-1 LP: 1442970
05/11/2015 Libtasn1 vulnerability USN-2604-1 CVE-2015-3622
05/05/2015 ppp vulnerability USN-2595-1 CVE-2015-3310
04/30/2015 curl vulnerabilities USN-2591-1 CVE-2015-3143 CVE-2015-3148 CVE-2015-3153
04/27/2015 tcpdump vulnerabilities USN-2580-1 CVE-2015-0261 CVE-2015-2155
04/21/2015 OpenJDK 6 vulnerabilities USN-2573-1 CVE-2015-0488 CVE-2015-0460 CVE-2015-0478 CVE-2015-0480
04/13/2015 libx11, libxrender vulnerability USN-2568-1 CVE-2013-7439
04/08/2015 Libtasn1 vulnerability USN-2559-1 CVE-2015-2806
04/01/2015 Libgcrypt vulnerabilities USN-2555-1 CVE-2014-3591 CVE-2015-0837
04/01/2015 GnuPG vulnerabilities USN-2554-1 CVE-2015-1606 CVE-2014-3591 CVE-2015-1607
03/23/2015 GnuTLS vulnerabilities USN-2540-1 CVE-2014-8155 CVE-2015-0294
03/19/2015 OpenSSL vulnerabilities USN-2537-1 CVE-2015-0209 CVE-2015-0289 CVE-2015-0293 CVE-2015-0288
03/16/2015 Sudo vulnerability USN-2533-1 CVE-2014-9680
02/26/2015 GNU C Library vulnerabilities USN-2519-1 CVE-2013-7423 CVE-2015-1473
02/24/2015 FreeType vulnerabilities USN-2510-1 CVE-2014-9656 CVE-2014-9663 CVE-2014-9660 CVE-2014-9667 CVE-2014-9664 CVE-2014-9668 CVE-2014-9659 CVE-2014-9675 CVE-2014-9671 CVE-2014-9672
02/23/2015 ca-certificates update USN-2509-1 LP: 1423904
02/23/2015 Samba vulnerability USN-2508-1 CVE-2015-0240
02/23/2015 e2fsprogs vulnerabilities USN-2507-1 CVE-2015-0247 CVE-2015-1572
02/19/2015 NSS update USN-2504-1 LP: 1423031
02/17/2015 unzip vulnerabilities USN-2502-1 CVE-2015-1315
02/10/2015 Kerberos vulnerabilities USN-2498-1 CVE-2014-5351 CVE-2014-9421 CVE-2014-9423 CVE-2014-5354
02/04/2015 file vulnerabilities USN-2494-1 CVE-2014-3710 CVE-2014-8117
01/27/2015 OpenJDK 6 vulnerabilities USN-2486-1 CVE-2014-3566 CVE-2015-0410 CVE-2015-0395 CVE-2015-0400 CVE-2014-6591 CVE-2014-6593 CVE-2015-0412
01/27/2015 GNU C Library vulnerability USN-2485-1 CVE-2015-0235
01/22/2015 elfutils vulnerability USN-2482-1 CVE-2014-9447
01/19/2015 libevent vulnerability USN-2477-1 CVE-2014-6272
01/15/2015 curl vulnerability USN-2474-1 CVE-2014-8150
01/14/2015 coreutils vulnerabilities USN-2473-1 CVE-2014-9471 CVE-2009-4135
01/14/2015 unzip vulnerabilities USN-2472-1 CVE-2014-8141 CVE-2014-8139
01/13/2015 Git vulnerability USN-2470-1 CVE-2014-9390
01/12/2015 OpenSSL vulnerabilities USN-2459-1 CVE-2014-3570 CVE-2015-0204 CVE-2014-8275 CVE-2015-0206
01/08/2015 GNU cpio vulnerabilities USN-2456-1 CVE-2010-0624 CVE-2014-9112
01/07/2015 mime-support vulnerability USN-2453-1 CVE-2014-7209
01/07/2015 NSS vulnerability USN-2452-1 CVE-2014-1569
12/04/2014 tcpdump vulnerabilities USN-2433-1 CVE-2014-8767 CVE-2014-9140
12/03/2014 GNU C Library vulnerabilities USN-2432-1 CVE-2014-7817 CVE-2012-6656
12/01/2014 ppp vulnerability USN-2429-1 CVE-2014-3158
11/27/2014 DBus vulnerability USN-2425-1 CVE-2014-7824
11/10/2014 curl vulnerability USN-2399-1 CVE-2014-3707
10/30/2014 Wget vulnerability USN-2393-1 CVE-2014-4877
10/27/2014 libxml2 vulnerability USN-2389-1 CVE-2014-3660
10/16/2014 OpenJDK 6 vulnerabilities USN-2386-1 CVE-2014-6457 CVE-2014-6506 CVE-2014-6558, https://launchpad.net/bugs/1382205.html CVE-2014-6531, CVE-2014-6558, https://launchpad.net/bugs/1382205 CVE-2014-6519 CVE-2014-6511
10/16/2014 OpenSSL vulnerabilities USN-2385-1 CVE-2014-3513 CVE-2014-3567
10/09/2014 Rsyslog vulnerabilities USN-2381-1 CVE-2014-3683 CVE-2014-3634
10/09/2014 Bash vulnerabilities USN-2380-1 CVE-2014-6277 CVE-2014-6278
10/08/2014 APT vulnerability USN-2370-1 CVE-2014-7206
10/02/2014 file vulnerability USN-2369-1 CVE-2014-3587
10/02/2014 OpenSSL update USN-2367-1 LP: 1376447
09/27/2014 Bash vulnerabilities USN-2364-1 CVE-2014-7186 CVE-2014-7187
09/25/2014 Bash vulnerability USN-2363-1 CVE-2014-7169
09/24/2014 NSS vulnerability USN-2361-1 CVE-2014-1568
09/24/2014 Bash vulnerability USN-2362-1 CVE-2014-6271
09/23/2014 APT vulnerability USN-2353-1 CVE-2014-6273
09/22/2014 DBus vulnerabilities USN-2352-1 CVE-2014-3638 CVE-2014-3639 CVE-2014-3635
09/22/2014 NSS update USN-2350-1 LP: 1372410
09/16/2014 APT vulnerabilities USN-2348-1 CVE-2014-0490 CVE-2014-0487
09/15/2014 curl vulnerabilities USN-2346-1 CVE-2014-3620 CVE-2014-3613
09/09/2014 NSS vulnerability USN-2343-1 CVE-2014-1544
09/03/2014 Libgcrypt vulnerability USN-2339-2 CVE-2014-5270
09/03/2014 GnuPG vulnerability USN-2339-1 CVE-2014-5270
08/28/2014 GNU C Library vulnerability USN-2328-1 CVE-2014-5119
08/12/2014 OpenJDK 6 vulnerabilities USN-2312-1 CVE-2014-4262 CVE-2014-4263 CVE-2014-4268 CVE-2014-2490 CVE-2014-4219 CVE-2014-4218
08/11/2014 Kerberos vulnerabilities USN-2310-1 CVE-2012-1016 CVE-2014-4343 CVE-2013-1418 CVE-2014-4345 CVE-2014-4344 CVE-2013-6800
08/07/2014 OpenSSL vulnerabilities USN-2308-1 CVE-2014-3505 CVE-2014-3512 CVE-2014-3508 CVE-2014-3509 CVE-2014-5139
08/04/2014 GNU C Library vulnerabilities USN-2306-1 CVE-2013-4357 CVE-2014-4043
07/22/2014 Libtasn1 vulnerabilities USN-2294-1 CVE-2014-3467 CVE-2014-3469
07/15/2014 file vulnerabilities USN-2278-1 CVE-2014-3538 CVE-2013-7345 CVE-2014-3480 CVE-2014-3479
07/08/2014 DBus vulnerabilities USN-2275-1 CVE-2014-3533 CVE-2014-3477
07/02/2014 NSPR vulnerability USN-2265-1 CVE-2014-1545
06/26/2014 GnuPG vulnerability USN-2258-1 CVE-2014-4617
06/26/2014 Samba vulnerabilities USN-2257-1 CVE-2014-0178 CVE-2014-3493
06/23/2014 OpenSSL regression USN-2232-3 LP: 1332643
06/17/2014 APT vulnerability USN-2246-1 CVE-2014-0478
06/17/2014 libxml2 regression USN-2214-3 LP: 1321869
06/12/2014 OpenSSL regression USN-2232-2 LP: 1329297
06/09/2014 libxml2 regression USN-2214-2 LP: 1321869
06/05/2014 OpenSSL vulnerabilities USN-2232-1 CVE-2014-3470 CVE-2014-0195
06/02/2014 GnuTLS vulnerability USN-2229-1 CVE-2014-3466
05/15/2014 libxml2 vulnerability USN-2214-1 CVE-2014-0191
05/05/2014 OpenSSL vulnerabilities USN-2192-1 CVE-2014-0198 CVE-2010-5298
05/01/2014 OpenJDK 6 vulnerabilities USN-2191-1 CVE-2014-1876 CVE-2014-2427 CVE-2014-2421 CVE-2014-2403 CVE-2014-0429 CVE-2014-2405 CVE-2014-0453 CVE-2014-0452 CVE-2014-0462 CVE-2014-2423 CVE-2014-0459 CVE-2014-0458


OpenSSL Security Updates and fix for Heartbleed CVE-2014-0076, CVE-2014-0160 and POODLE CVE-2014-3566 and OpenSSL CVE-2014-3513, CVE-2014-3568, CVE-2014-3567

Ubuntu Security update notifications:

http://www.ubuntu.com/usn/usn-2165-1/

http://www.ubuntu.com/usn/usn-2367-1/

http://www.ubuntu.com/usn/usn-2385-1/

You can upgrade your OpenSSL release to the latest which includes the latest fixes with the below console commands as the 'qadmin' administrative user:

sudo apt-get update
sudo apt-get install openssl libssl1.0.0

Bash Security Updates 'SHELLSHOCK' CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

Ubuntu Security update notifications:

http://www.ubuntu.com/usn/usn-2362-1/

http://www.ubuntu.com/usn/usn-2363-2/

http://www.ubuntu.com/usn/usn-2364-1/

You can upgrade your Bash release to the latest which includes the security fixes for bash with the below console commands as the 'qadmin' administrative user:

sudo apt-get update
sudo apt-get install bash

Core Product Security Updates

QuantaStor 3.15.1 (May 28th 2015)

  • adds firewall support for disabling access to unused storage services
  • fix to support creation of roles with no permissions

QuantaStor 3.15.0 (May 1st 2015)

  • adds support for customizing the pem files for all services (core qs_service, REST service, and Tomcat)
  • adds support for customizing the SSL ciphers, applies strong cipher limits automatically
  • adds SSL cert generation script which deposits custom certs into /var/opt/osnexus/quantastor/ssl which are automatically picked up by REST and core services
  • adds script command to upgrade from Java 6 to Java 7 (qs-util java7upgrade), which allows browsers to connect via https using stronger ciphers / TLS 1.2
  • fix to disable all use of SSLv3 across all internal services (Core service, Tomcat, REST API service) in favor of TLS for improved security / HIPAA compliance
  • fix to allow removal of duplicate 'admin' users
  • fix to remove duplicate user entries in Samba config when user assigned as 'Admin' on a share
  • fix to password length enforcement (8-34 char)

QuantaStor 3.12.2 (July 22nd 2014)

  • fix to set password error message to show 8 to 40 characters required
  • fix to update user password changes to all grid nodes

QuantaStor 3.12.0 (June 27th 2014)

  • adds new https keystore for web management interface (be sure to clear your browser cache)
  • adds secure mode 'qs-util disablehttp' to enable/disable http access (port 80) to force admins to use https for web management
  • fix to core service to allow for changing openssl pem files

QuantaStor 3.9.3 (March 7th 2014)

  • fix to AD domain leave operation to remove AD computer entry