Bug 1047867 - (CVE-2013-6480) CVE-2013-6480 python-libcloud: doesn't send scrub_data query parameter when destroying a DigitalOcean node
CVE-2013-6480 python-libcloud: doesn't send scrub_data query parameter when d...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20131230,reported=2...
: Security
Depends On: 1047868
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-02 07:17 EST by Ratul Gupta
Modified: 2015-08-22 02:36 EDT (History)
3 users (show)

See Also:
Fixed In Version: python-libcloud 0.13.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 02:36:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2014-01-02 07:17:16 EST
DigitalOcean recently changed the default API behavior from scrub to non-scrub when destroying a VM.

Libcloud doesn't explicitly send "scrub_data" query parameter when destroying a node. This means nodes which are destroyed using Libcloud are vulnerable to later customers stealing data contained on them. Only users who are using DigitalOcean driver are known to be affected by this issue.

The issue is said to be fixed in the version 0.13.3.

References:
http://seclists.org/fulldisclosure/2014/Jan/11
http://libcloud.apache.org/security.html
https://digitalocean.com/blog_posts/transparency-regarding-data-security
https://github.com/fog/fog/issues/2525

Commit:
https://github.com/apache/libcloud/commit/4449e165a00756dc61430e6ad9520f005b045d29
Comment 1 Ratul Gupta 2014-01-02 07:17:53 EST
Created python-libcloud tracking bugs for this issue:

Affects: fedora-all [bug 1047868]
Comment 2 Fedora Update System 2014-01-12 00:01:37 EST
python-libcloud-0.13.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2014-01-12 00:03:46 EST
python-libcloud-0.13.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-01-12 00:04:49 EST
python-libcloud-0.13.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.