Releases · apache/cloudstack · GitHub

Release list

Apache CloudStack 4.19.1.3 (LTS Security Release)

DaanHoogland released this 12 Nov 13:46

07468f5

This is a security release that fixes the following on top of the 4.19.1.3 release:

CVE-2024-50386: Directly downloaded templates can be used to abuse KVM-based infrastructure

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3

Release notes: https://docs.cloudstack.apache.org/en/4.19.1.3/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.19.1.3/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.19.1.3/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.19.1.3/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.19

Assets 2

Apache CloudStack 4.18.2.5 (Security Release)

DaanHoogland released this 12 Nov 13:40

84538da

This is a security release that fixes the following on top of the 4.18.2.4 release:

CVE-2024-50386 Directly downloaded templates can be used to abuse KVM-based infrastructure

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3

Release notes: https://docs.cloudstack.apache.org/en/4.18.2.5/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.18.2.5/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.18.2.5/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.18.2.5/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.18

Assets 2

Apache CloudStack 4.19.1.2 (LTS Security Release)

GutoVeronezi released this 15 Oct 18:35

18fe422

This is a security release that fixes the following on top of the 4.19.1.1 release:

CVE-2024-45219: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure
CVE-2024-45461: Access checks not enforced in Quota
CVE-2024-45462: Incomplete session invalidation on web interface logout
CVE-2024-45693: Request origin validation bypass makes account takeover possible

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2

Release notes: https://docs.cloudstack.apache.org/en/4.19.1.2/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.19.1.2/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.19.1.2/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.19.1.2/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.19

Assets 2

Apache CloudStack 4.18.2.4 (LTS Security Release)

GutoVeronezi released this 15 Oct 18:37

54b3519

This is a security release that fixes the following on top of the 4.18.2.3 release:

CVE-2024-45219: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure
CVE-2024-45461: Access checks not enforced in Quota
CVE-2024-45462: Incomplete session invalidation on web interface logout
CVE-2024-45693: Request origin validation bypass makes account takeover possible

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2

Release notes: https://docs.cloudstack.apache.org/en/4.18.2.4/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.18.2.4/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.18.2.4/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.18.2.4/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.18

Assets 2

Apache CloudStack 4.19.1.1 (LTS Security Release)

nvazquez released this 06 Aug 15:17

4ea342c

This is a security release that fixes the following on top of the 4.19.1.0 release:

CVE-2024-42062: User Key Exposure to Domain Admins
CVE-2024-42222: Unauthorised Network List Access

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3

Release notes: https://docs.cloudstack.apache.org/en/4.19.1.1/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.19.1.1/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.19.1.1/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.19.1.1/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.19

Assets 2

Apache CloudStack 4.18.2.3 (LTS Security Release)

nvazquez released this 06 Aug 15:15

be191f5

This is a security release that fixes the following on top of the 4.18.2.2 security release:

CVE-2024-42062: User Key Exposure to Domain Admins

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3

Release notes: https://docs.cloudstack.apache.org/en/4.18.2.3/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.18.2.3/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.18.2.3/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.18.2.3/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.18

Assets 2

Apache CloudStack 4.19.1.0 (LTS)

sureshanaparti released this 28 Aug 07:48

9f4c895

Apache CloudStack 4.19.1.0 (LTS) release

Release notes: https://docs.cloudstack.apache.org/en/4.19.1.0/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.19.1.0/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.19.1.0/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.19.1.0/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.19

Assets 2

Apache CloudStack 4.18.2.2 (LTS Security Release)

shwstppr released this 19 Jul 10:11

22baf24

This is a security release that fixes the following on top of the 4.18.2.1 security release:

CVE-2024-41107: SAML Signature Exclusion

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107/

Release notes: https://docs.cloudstack.apache.org/en/4.18.2.2/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.18.2.2/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.18.2.2/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.18.2.2/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.18

Assets 2

Apache CloudStack 4.19.0.2 (LTS Security Release)

shwstppr released this 05 Jul 13:32

616d726

This is a security release that fixes the following on top of the 4.19.0.1 release:

CVE-2024-38346: Unauthenticated cluster service port leads to remote execution
CVE-2024-39864: Integration API service uses dynamic port when disabled

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1

Release notes: https://docs.cloudstack.apache.org/en/4.19.0.2/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.19.0.2/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.19.0.2/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.19.0.2/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.19

Assets 2

Apache CloudStack 4.18.2.1 (LTS Security Release)

shwstppr released this 05 Jul 13:31

ef5b5bb

This is a security release that fixes the following on top of the 4.18.2.0 release:

CVE-2024-38346: Unauthenticated cluster service port leads to remote execution
CVE-2024-39864: Integration API service uses dynamic port when disabled

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1

Release notes: https://docs.cloudstack.apache.org/en/4.18.2.1/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.18.2.1/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.18.2.1/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.18.2.1/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.18

Assets 2