·
798 commits
to main
since this release
4.19.0.1
rohityadavcloud
Rohit Yadav
This tag was signed with the committer’s verified signature.
rohityadavcloud
Rohit Yadav
Advisories:
- https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.1-4.18.1.1
- https://www.shapeblue.com/apache-cloudstack-security-releases-4-18-1-1-and-4-19-0-1/
This is a ShapeBlue customer patch release that is based on upstream security 4.19.0.1 release:
- CVE-2024-29006 x-forwarded-for parsed by default
- CVE-2024-29007 When downloading templates or ISOs, the UI/SSVM follow http redirects with potentially dangerous consequences
- CVE-2024-29008 The extraconfig feature can be abused to load hypervisor resources on a VM instance
4.19 packages repository
EL7: http://packages.shapeblue.com/cloudstack/upstream/el7/4.19/
EL8: http://packages.shapeblue.com/cloudstack/upstream/el8/4.19/
EL9: http://packages.shapeblue.com/cloudstack/upstream/el9/4.19/
Ubuntu/Debian: http://packages.shapeblue.com/cloudstack/upstream/debian/4.19/
Upgrade instructions
- Recommended: Test the patch in your test/validation environment before upgrading to production
- Backup your production DB dump before upgrading to this patch release
- Check and upgrade any installed cloudstack packages (such as cloudstack-management, cloudstack-common, cloudstack-agent) using the above EL7, EL8, EL9 or Debian repositories. On some enviroments, you may also upgrade using downloaded rpms directly using rpm or yum localinstall.
- Post upgrade, restart the upgraded services such as cloudstack-management and cloudstack-agent
- Full Changelog: https://github.com/shapeblue/cloudstack/commits/4.19.0.1