Security Update Archive
From OSNEXUS Online Documentation Site
Contents
- 1 Linux Base OS Security Fixes / Notifications
- 2 Core Product Security Updates
- 2.1 QuantaStor 4.5.0 (March 9th 2018)
- 2.2 QuantaStor 4.3.1 (June 30th 2017)
- 2.3 QuantaStor 4.1.5 (Jan 18th 2017)
- 2.4 QuantaStor 4.0.8 (Nov 18th 2016)
- 2.5 QuantaStor 4.0.0 (March 31st 2016)
- 2.6 QuantaStor 3.15.1 (May 28th 2015)
- 2.7 QuantaStor 3.15.0 (May 1st 2015)
- 2.8 QuantaStor 3.12.2 (July 22nd 2014)
- 2.9 QuantaStor 3.12.0 (June 27th 2014)
- 2.10 QuantaStor 3.9.3 (March 7th 2014)
Linux Base OS Security Fixes / Notifications
Security notifications for QuantaStor base OS packages are now available at the OSNEXUS Security Notices site (http://services.osnexus.com/security)
Core Product Security Updates
QuantaStor 4.5.0 (March 9th 2018)
- Kernel 4.4.0-112 includes fixes for the below Security items:
- Spectre - Variant 1 - CVE-2017-5753
- Meltdown - Variant 3 - CVE-2017-5754
- Note: Spectre Variant 2 CVE-2017-5715 is a firmware code issue and can only be addressed with updated microcode in a Motherboard BIOS or firmware update from the Processor manufacturer.
QuantaStor 4.3.1 (June 30th 2017)
- Fixed a Security issue with bad password responses. Fixes items found related to CVE-2017-9978
- Fixed the Rest API response for when a method is unsupported. Fixes items found related to CVE-2017-9979
QuantaStor 4.1.5 (Jan 18th 2017)
- Fixed: Addressed SSL concern CVE-2016-2183 (SWEET32) with updated qsciphers file to remove DES and 3DES ciphers.
- Fixed: disabled tomcat web port 8443.
QuantaStor 4.0.8 (Nov 18th 2016)
- Adds new 3.19.0-73 Linux kernel that includes updates and a security patch to address CVE-2016-5195 (Dirty COW)
QuantaStor 4.0.0 (March 31st 2016)
- Fixed: Addressed CVE-2015-4000 (Logjam) in the Web Server Package with increase of the default Modulus length to 2048-bit and removal of weak DHE Diffie-Hellman ciphers.
- Added: New QuantaStor users created via the Users and Groups section of the Web Manager or 'qs user-add' CLI command will now have the same User ID on all QuantaStor nodes. The new UID range is 100000000-199999999.
- Fixed: An unexpected web request to the Web Server will now correctly route to a 404 error page.
QuantaStor 3.15.1 (May 28th 2015)
- adds firewall support for disabling access to unused storage services
- fix to support creation of roles with no permissions
QuantaStor 3.15.0 (May 1st 2015)
- adds support for customizing the pem files for all services (core qs_service, REST service, and Tomcat)
- adds support for customizing the SSL ciphers, applies strong cipher limits automatically
- adds SSL cert generation script which deposits custom certs into /var/opt/osnexus/quantastor/ssl which are automatically picked up by REST and core services
- adds script command to upgrade from Java 6 to Java 7 (qs-util java7upgrade), which allows browsers to connect via https using stronger ciphers / TLS 1.2
- fix to disable all use of SSLv3 across all internal services (Core service, Tomcat, REST API service) in favor of TLS for improved security / HIPAA compliance
- fix to allow removal of duplicate 'admin' users
- fix to remove duplicate user entries in Samba config when user assigned as 'Admin' on a share
- fix to password length enforcement (8-34 char)
QuantaStor 3.12.2 (July 22nd 2014)
- fix to set password error message to show 8 to 40 characters required
- fix to update user password changes to all grid nodes
QuantaStor 3.12.0 (June 27th 2014)
- adds new https keystore for web management interface (be sure to clear your browser cache)
- adds secure mode 'qs-util disablehttp' to enable/disable http access (port 80) to force admins to use https for web management
- fix to core service to allow for changing openssl pem files
QuantaStor 3.9.3 (March 7th 2014)
- fix to AD domain leave operation to remove AD computer entry
