From ${URL} : DigitalOcean recently changed the default API behavior from scrub to non-scrub when destroying a VM. Libcloud doesn't explicitly send "scrub_data" query parameter when destroying a node. This means nodes which are destroyed using Libcloud are vulnerable to later customers stealing data contained on them. Only users who are using DigitalOcean driver are known to be affected by this issue. The issue is said to be fixed in the version 0.13.3. References: http://seclists.org/fulldisclosure/2014/Jan/11 http://libcloud.apache.org/security.html https://digitalocean.com/blog_posts/transparency-regarding-data-security https://github.com/fog/fog/issues/2525 Commit: https://github.com/apache/libcloud/commit/4449e165a00756dc61430e6ad9520f005b045d29 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2013-6480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6480): Libcloud 012.3 through 0.13.2 does not set the scrub_data parameter for the destroy DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
libcloud-0.14.1 is now in the tree
(In reply to Patrick McLean from comment #2) > libcloud-0.14.1 is now in the tree Thanks, no stable version in tree, thus - noglsa. Please, remove vulnerable versions from tree
Vulnerable versions still in tree... Maintainer(s), please drop the vulnerable version.
Done. Sorry it took so long.
