Include Security Fixes in Release Notes

[Coldfirex]

What about for Nutanix AHV?

[Gostev]

I double checked with the security team and there were no security-related fixes in the latest 2.1 release. I asked them to get the KB article going once there's something to document.

[Coldfirex]

I see in the standard release notes that Veeam for Nutanix does have security fixes.
[Security]
Since version 2.1, AHV Backup Proxy does not use the following unsafe TLS ciphers:
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA

Since the release notes for VAN show security and there is no KB article, but on the other products the release notes don't mention security and they have KB articles I believe they should match in whatever format works best. I would personally forgo the KB article and have it in the Release Notes, but as long as its the same across products that would be very helpful.

[PTide]

@Coldfirex,

Noted and passed to the responsible team.

Thanks!

[Coldfirex]

When are the security release pages going to be updated for the newer releases?
I still havent seen one for Veeam on Nutanix.

[bcampbell]

@gostev

With the release of agent for windows 5.0.1.4584 is there any way to get the KB article https://www.veeam.com/kb3108 updated with any potential security fixes?

[Gostev]

There's nothing to update it with...

[Coldfirex]

Well thats not true.

kb3103 (or the nutanix one which I dont think exists yet still?) should at least be updated to include .NET Core 3.1 since 2.1 was EOL. Additionally the Veeam Proxy was supposed to be upgraded from eol Ubutnu 16.04 to 18.04.

[Gostev]

Reading the thread should make it obvious that I answered to bcampbell, who asked me personally the very specific question.

Nutanix is something you were discussing with PTide, so he was taking care of that... I assume he will check with the responsible team and answer.

[bcampbell]

Gostev thanks for the response

If there are no security fixes can the KB at lease be updated to show that? Other releases show that.

example
---------------------------------------
4.0.1.2169

No security related changes.
----------------------------------------

This may seem trivial, but this page https://www.veeam.com/kb3108 is something our compliance team relies on for evidence. We get audited every year on these of things. Not trying to be rude but I cannot use this forum and your response of "There's nothing to update it with..." as a form of credible evidence.

[Gostev]

Sure, this should not be a problem to add.

[bcampbell]

Thanks for the update Gostev. I see the page is updated and it is exactly what I need. Thanks for the quick turn around.

[Coldfirex]

Nutanix AHV security fix KB article published: https://www.veeam.com/kb4236

[bcampbell]

Gostev can the KB article be updated to reflect any security or non security fixes for Agent 5.0.2.4680.
https://www.veeam.com/kb3108

I'm going to need that page updated sometime by the end of this month when I do my patch assessments.

Additionally is there someone else I can bug about getting that page updated on the release of updates? Or do I need to just post here every time I see an update?

[Gostev]

Our security team will take over this going forward so hopefully you won't need to bug us PMs here any longer

[bcampbell]

Hey Gostev. It’s me again…. Lol great presentation today btw.

Hey can we get the veeam agent security vulnerabilities page updated if there are any vulnerability fixes with agent 6.0.
https://www.veeam.com/kb3108

I know you said the security team was handling this so let me know if I should reach out somewhere else.

Thanks for all the great work.

[HannesK]

Hello,
the security team is working on updating the KB article.

Best regards
Hannes

[Coldfirex]

Howdy,
Can we have the Nutanix AHV one updated too please?

https://www.veeam.com/kb4236

[HannesK]

Hello,
yes, it should be updated soon.

Best regards,
Hannes

[bcampbell]

Is it possible to get the KB article https://www.veeam.com/kb3108 updated for the new version 6.1 if there are security fixes or not. If there are no security fixes can it just state that there are none? I have to ask every time a there is a new release. We are bound by NERC CIP compliance to have something wirtten to show auditors.

[Gostev]

Yes, it should be updated soon. I too needed it earlier today so I already complained to the security team