4.18.1.1-shapeblue1 (LTS Security Release)

Advisories:

• https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.1-4.18.1.1
• https://www.shapeblue.com/apache-cloudstack-security-releases-4-18-1-1-and-4-19-0-1/

This is a ShapeBlue customer patch release that includes the following changes on top of upstream security 4.18.1.1 release:

• CVE-2024-29006 x-forwarded-for parsed by default
• CVE-2024-29007 When downloading templates or ISOs, the UI/SSVM follow http redirects with potentially dangerous consequences
• CVE-2024-29008 The extraconfig feature can be abused to load hypervisor resources on a VM instance

Additional changes:

• KVM volume snapshot backing file fix apache#8041
• KVM VM snapshot support for NFS and local storage apache#8062
• Fix non-admin logouts apache#8065
• Linstor disk offering fix apache#7952
• Linstor template volume fix apache#8082
• Linstor: fix template copy on non hyperconverged setups apache#8114
• 2FA setup fix apache#7972
• Fix VM snapshot size during storage capacity check apache#8101
• Create snapshot from VM snapshot for NFS/Local storage apache#8117

4.18.1.0-shapeblue1 packages repository

EL7: http://packages.shapeblue.com/cloudstack/upstream/el7/4.18/
EL8: http://packages.shapeblue.com/cloudstack/upstream/el8/4.18/
EL9: http://packages.shapeblue.com/cloudstack/upstream/el9/4.18/
Ubuntu/Debian: http://packages.shapeblue.com/cloudstack/upstream/debian/4.18/

Upgrade instructions

• Recommended: Test the patch in your test/validation environment before upgrading to production
• Backup your production DB dump before upgrading to this patch release
• Check and upgrade any installed cloudstack packages (such as cloudstack-management, cloudstack-common, cloudstack-agent) using the above EL7, EL8, EL9 or Debian repositories. On some enviroments, you may also upgrade using downloaded rpms directly using rpm or yum localinstall.
• Post upgrade, restart the upgraded services such as cloudstack-management and cloudstack-agent
• Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.18.1.1-shapeblue1

4.19.0.1-shapeblue0 (LTS Security Release)

Advisories:

• https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.1-4.18.1.1
• https://www.shapeblue.com/apache-cloudstack-security-releases-4-18-1-1-and-4-19-0-1/

This is a ShapeBlue customer patch release that is based on upstream security 4.19.0.1 release:

• CVE-2024-29006 x-forwarded-for parsed by default
• CVE-2024-29007 When downloading templates or ISOs, the UI/SSVM follow http redirects with potentially dangerous consequences
• CVE-2024-29008 The extraconfig feature can be abused to load hypervisor resources on a VM instance

4.19 packages repository

EL7: http://packages.shapeblue.com/cloudstack/upstream/el7/4.19/
EL8: http://packages.shapeblue.com/cloudstack/upstream/el8/4.19/
EL9: http://packages.shapeblue.com/cloudstack/upstream/el9/4.19/
Ubuntu/Debian: http://packages.shapeblue.com/cloudstack/upstream/debian/4.19/

Upgrade instructions

• Recommended: Test the patch in your test/validation environment before upgrading to production
• Backup your production DB dump before upgrading to this patch release
• Check and upgrade any installed cloudstack packages (such as cloudstack-management, cloudstack-common, cloudstack-agent) using the above EL7, EL8, EL9 or Debian repositories. On some enviroments, you may also upgrade using downloaded rpms directly using rpm or yum localinstall.
• Post upgrade, restart the upgraded services such as cloudstack-management and cloudstack-agent
• Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.19.0.1

4.18.1.0-shapeblue1

This is a ShapeBlue customer patch release that includes the following changes on top of upstream 4.18.1.0 release:

• KVM volume snapshot backing file fix apache#8041
• KVM VM snapshot support for NFS and local storage apache#8062
• Fix non-admin logouts apache#8065
• Linstor disk offering fix apache#7952
• Linstor template volume fix apache#8082
• Linstor: fix template copy on non hyperconverged setups apache#8114
• 2FA setup fix apache#7972
• Fix VM snapshot size during storage capacity check apache#8101
• Create snapshot from VM snapshot for NFS/Local storage apache#8117

4.18.1.0-shapeblue1 packages repository

EL7: http://packages.shapeblue.com/cloudstack/upstream/el7/4.18/
EL8: http://packages.shapeblue.com/cloudstack/upstream/el8/4.18/
EL9: http://packages.shapeblue.com/cloudstack/upstream/el9/4.18/
Debian: http://packages.shapeblue.com/cloudstack/upstream/debian/4.18/

Upgrade instructions

• Applicability: this patch can be applied in an environment that has Apache CloudStack 4.18.1.0 installed
• Recommended: Test the patch in your test/validation environment before upgrading to production
• Backup your production DB dump before upgrading to this patch release
• Check and upgrade any installed cloudstack packages (such as cloudstack-management, cloudstack-common, cloudstack-agent) using the above EL7, EL8, EL9 or Debian repositories. On some enviroments, you may also upgrade using downloaded rpms directly using rpm or yum localinstall.
• Post upgrade, restart the upgraded services such as cloudstack-management and cloudstack-agent
• Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.18.1.0-shapeblue1

4.17.2.0-shapeblue3

This is a ShapeBlue customer patch release that includes the following changes on top of 4.17.2.0-shapeblue2:

• KVM volume snapshot backing file fix apache#8041
• KVM VM snapshot support for NFS and local storage apache#8062

4.17.2.0-shapeblue3 packages repository

EL7: http://packages.shapeblue.com/cloudstack/upstream/el7/4.17/
EL8: http://packages.shapeblue.com/cloudstack/upstream/el8/4.17/
Debian: http://packages.shapeblue.com/cloudstack/upstream/debian/4.17/

Upgrade instructions

• Applicability: this patch can be applied in an environment that has Apache CloudStack 4.17.2.0-shapeblue2 installed
• Recommended: Test the patch in your test/validation environment before upgrading to production
• Backup your production DB dump before upgrading to this patch release
• Check and upgrade any installed cloudstack packages (such as cloudstack-management, cloudstack-common, cloudstack-agent) using the above EL7, EL8 or Debian repositories. On some enviroments, you may also upgrade using downloaded rpms directly using rpm or yum localinstall.
• Post upgrade, restart the upgraded services such as cloudstack-management and cloudstack-agent
• Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.17.2.0-shapeblue3

4.17.2.0-shapeblue2

This is a ShapeBlue customer patch release that includes the following changes on top of upstream 4.17.2.0 release:

• apache#7846
• apache#6748
• apache#7584

4.17.2.0-shapeblue2 packages repository

EL7: http://packages.shapeblue.com/cloudstack/upstream/el7/4.17/
EL8: http://packages.shapeblue.com/cloudstack/upstream/el8/4.17/
Debian: http://packages.shapeblue.com/cloudstack/upstream/debian/4.17/

Upgrade instructions

• Applicability: this patch can be applied in an environment that has Apache CloudStack 4.17.2.0 installed
• Recommended: Test the patch in your test/validation environment before upgrading to production
• Backup your production DB dump before upgrading to this patch release
• Check and upgrade any installed cloudstack 4.17.2.0 packages (such as cloudstack-management, cloudstack-common, cloudstack-agent) using the above EL7, EL8 or Debian repositories. On some enviroments, you may also upgrade using downloaded rpms directly using rpm or yum localinstall.
• Post upgrade, restart the upgraded services such as cloudstack-management
• Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.17.2.0-shapeblue2

apache#6748

Steps to validate the fix

1.Create 2 domains
2.Create a network offering and associate with the 2 domains
3.Execute the list network oferring api call and pass both the domainid's
4.It should list the network offering assoicated with both domains

apache#7584

Steps to validate the fix

1.Enable vm.configdrive.force.host.cache.use in Global Configuration.
2.Create a L2 network with config drive
3.Deploy a vm with the L2 network created in previous step
4.Stop the vm and destroy vm (not expunge it)
5.Stop the cloudstack-agent on the KVM's host
6.Expunge the vm
7.The vm should get expunged without any issues

4.18.0.0-shapeblue1

This is a ShapeBlue customer patch release that includes the following changes on top of upstream 4.18.0.0 release:

• apache#7584

4.18.0.0-shapeblue1 packages repository

EL7: http://packages.shapeblue.com/cloudstack/upstream/el7/4.18/
EL8: http://packages.shapeblue.com/cloudstack/upstream/el8/4.18/
EL9: http://packages.shapeblue.com/cloudstack/upstream/el9/4.18/
Debian: http://packages.shapeblue.com/cloudstack/upstream/debian/4.18/

Upgrade instructions

• Applicability: this patch can be applied in an environment that has Apache CloudStack 4.18.0.0 installed
• Recommended: Test the patch in your test/validation environment before upgrading to production
• Backup your production DB dump before upgrading to this patch release
• Check and upgrade any installed cloudstack 4.17.2.0 packages (such as cloudstack-management, cloudstack-common, cloudstack-agent) using the above EL7, EL8, EL9 or Debian repositories. On some enviroments, you may also upgrade using downloaded rpms directly using rpm or yum localinstall.
• Post upgrade, restart the upgraded services such as cloudstack-management
• Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.18.0.0-shapeblue1

apache#7584

Steps to validate the fix

1.Enable vm.configdrive.force.host.cache.use in Global Configuration.
2.Create a L2 network with config drive
3.Deploy a vm with the L2 network created in previous step
4.Stop the vm and destroy vm (not expunge it)
5.Stop the cloudstack-agent on the KVM's host
6.Expunge the vm
7.The vm should get expunged without any issues

4.17.2.0-shapeblue1

This is a ShapeBlue customer patch release that includes the following changes on top of upstream 4.17.2.0 release:

• apache#6748
• apache#7584

4.17.2.0-shapeblue1 packages repository

EL7: http://packages.shapeblue.com/cloudstack/upstream/el7/4.17/
EL8: http://packages.shapeblue.com/cloudstack/upstream/el8/4.17/
Debian: http://packages.shapeblue.com/cloudstack/upstream/debian/4.17/

Upgrade instructions

• Applicability: this patch can be applied in an environment that has Apache CloudStack 4.17.2.0 installed
• Recommended: Test the patch in your test/validation environment before upgrading to production
• Backup your production DB dump before upgrading to this patch release
• Check and upgrade any installed cloudstack 4.17.2.0 packages (such as cloudstack-management, cloudstack-common, cloudstack-agent) using the above EL7, EL8 or Debian repositories. On some enviroments, you may also upgrade using downloaded rpms directly using rpm or yum localinstall.
• Post upgrade, restart the upgraded services such as cloudstack-management
• Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.17.2.0-shapeblue1

apache#6748

Steps to validate the fix

1.Create 2 domains
2.Create a network offering and associate with the 2 domains
3.Execute the list network oferring api call and pass both the domainid's
4.It should list the network offering assoicated with both domains

apache#7584

Steps to validate the fix

1.Enable vm.configdrive.force.host.cache.use in Global Configuration.
2.Create a L2 network with config drive
3.Deploy a vm with the L2 network created in previous step
4.Stop the vm and destroy vm (not expunge it)
5.Stop the cloudstack-agent on the KVM's host
6.Expunge the vm
7.The vm should get expunged without any issues

4.15.2.0-shapeblue3

This is a ShapeBlue customer patch release on top of the previous SB customer patch release 4.15.2.0-shapeblue2 and includes the following changes on top of upstream 4.15.2.0 release:

• Fix storage cleanup corner case preventing VM deletion (apache#5575)
• saml: Safer DocumentBuilderFactory and ParserPool configuration
• VR: add rules for traffic between static nat and private gateway (apache#6153)
• kvm: truncate vnc password to 8 chars (apache#6244)
• kvm: Fix VM migration error due to VNC password on libvirt limiting versions (apache#6404)
• Fix export snapshot and template to secondary storage to export only (apache#5510)
• vmware: fix NPE for volume migration CLUSTER to ZONE-wide pool (apache#5582)

4.15.2.0-shapeblue3 packages repository

• EL7: http://packages.shapeblue.com/cloudstack/upstream/el7/4.15/
• EL8: http://packages.shapeblue.com/cloudstack/upstream/el8/4.15/
• Debian: http://packages.shapeblue.com/cloudstack/upstream/debian/4.15/

Upgrade instructions

• Applicability: this patch can be applied in an environment that has Apache CloudStack 4.15.2.0 installed or one of the earlier ShapeBlue 4.15 patch releases
• Recommended: Test the patch in your test/validation environment before upgrading to production
• Backup your production DB dump before upgrading to this patch release
• Check and upgrade any installed cloudstack 4.15.2.0 packages (such as cloudstack-management, cloudstack-common, cloudstack-agent) using the above EL7, EL8 or Debian repositories. On some enviroments, you may also upgrade using downloaded rpms directly using rpm or yum localinstall.
• Post upgrade, restart the upgraded services such as cloudstack-management and cloudstack-agent

Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.15.2.0-shapeblue3

4.17.0.1

This is a ShapeBlue customer patch release on top of the Apache CloudStack 4.17.0.1 release.

Full Changelog: 4.17.0.0...4.17.0.1

4.16.1.1-shapeblue1

This is a ShapeBlue customer patch release on top of the Apache CloudStack 4.16.1.1 release that includes the following changes:

• kvm: truncate vnc password to 8 chars (apache#6244)
• kvm: Fix VM migration error due to VNC password on libvirt limiting versions (apache#6404)
• kvm: Extract the IO_URING configuration into the agent.properties (apache#6253)
• kvm: Enable IOURING only when it is available on the host (apache#6399)
• VR: add rules for traffic between static nat and private gateway (apache#6153)
• VR: Do not add iptables rules for the revoked ip addresses (apache#6189)
• VR: add '-m ' for tcp or udp protocol (apache#6188)
• Fix linux native bridge for SUSE in cloudutils (apache#6134)
• Fix migration of VM with volume on Ubuntu (apache#6116)

Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.16.1.1-shapeblue1