title: Security updates and reports

## Libcloud Vulnerabilities

### [CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node

**Severity**: Low  
**Affected Versions**: Apache Libcloud **0.12.3** to **0.13.3** (version prior
to 0.12.3 don't include a DigitalOcean driver)  
**Description**:

DigitalOcean recently changed the default API behavior from scrub to non-scrub
when destroying a VM.

Libcloud doesn't explicitly send "scrub_data" query parameter when destroying a
node. This means nodes which are destroyed using Libcloud are vulnerable to
later customers stealing data contained on them.

Note: Only users who are using DigitalOcean driver are affected by this issue.

References:

* <a href="https://digitalocean.com/blog_posts/transparency-regarding-data-security" rel="nofollow">https://digitalocean.com/blog_posts/transparency-regarding-data-security</a>
* <a href="https://github.com/fog/fog/issues/2525" rel="nofollow">https://github.com/fog/fog/issues/2525</a>

**Mitigation**:

This vulnerability has been fixed in version 0.13.3. Users who use DigitalOcean
driver are strongly encouraged to upgrade to this release.

### [CVE-2012-3446] Possible SSL MITM due to invalid regular expression used to validate the target server hostname

**Severity**: Medium

**Versions Affected**:

Apache Libcloud 0.4.2 to 0.11.1

Versions prior to 0.4.2 don't perform any target server SSL certificate
validation.

**Description**:

When establishing a secure (SSL / TLS) connection to a target server an
invalid regular expression has been used for performing the hostname
verification. Subset instead of the full target server hostname has been
marked an an acceptable match for the given hostname.

For example, certificate with a hostname field of "aexample.com" was considered
a valid certificate for domain "example.com".

**Mitigation**:

Users should upgrade to the latest version (0.11.1) which includes a fix.

**Credit**:

This issue was discovered by researchers from the University of Texas at Austin
(Martin Georgiev, Suman Jana and Vitaly Shmatikov).

### [CVE-2010-4340] SSL MITM vulnerability

**Description**:

Python SSL library doesn't validate a host SSL certificate and as a
consequence, versions prior to **0.4.2** are vulnerable to a man-in-the-middle
attack.

**Affected versions**: All the versions prior to **0.4.2**

**Fix version**:

This vulnerability has been fixed in the version
**[0.4.2](/libcloud/downloads.html)**. You are strongly encouraged
to upgrade to this version and set libcloud.security.VERIFY_SSL_CERT variable
to True.

## Reporting a vulnerability

If you find a security vulnerability you are strongly encouraged to report it to
our private mailing list: [security@libcloud.apache.org](mailto:security@libcloud.apache.org)

PGP keys of the libcloud developers can be found at
[https://www.apache.org/dist/libcloud/KEYS](https://www.apache.org/dist/libcloud/KEYS)