Comprehensive data protection for all workloads
Coldfirex
Enthusiast
Posts: 80
Liked: 15 times
Joined: May 22, 2015 1:41 pm
Full Name: Alan Shearer
Contact:

Re: Include Security Fixes in Release Notes

Post by Coldfirex » 1 person likes this post

What about for Nutanix AHV?
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Include Security Fixes in Release Notes

Post by Gostev »

I double checked with the security team and there were no security-related fixes in the latest 2.1 release. I asked them to get the KB article going once there's something to document.
Coldfirex
Enthusiast
Posts: 80
Liked: 15 times
Joined: May 22, 2015 1:41 pm
Full Name: Alan Shearer
Contact:

Re: Include Security Fixes in Release Notes

Post by Coldfirex » 1 person likes this post

I see in the standard release notes that Veeam for Nutanix does have security fixes.
[Security]
Since version 2.1, AHV Backup Proxy does not use the following unsafe TLS ciphers:
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA

Since the release notes for VAN show security and there is no KB article, but on the other products the release notes don't mention security and they have KB articles I believe they should match in whatever format works best. I would personally forgo the KB article and have it in the Release Notes, but as long as its the same across products that would be very helpful.
PTide
Product Manager
Posts: 6408
Liked: 724 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Include Security Fixes in Release Notes

Post by PTide »

@Coldfirex,

Noted and passed to the responsible team.

Thanks!
Coldfirex
Enthusiast
Posts: 80
Liked: 15 times
Joined: May 22, 2015 1:41 pm
Full Name: Alan Shearer
Contact:

Re: Include Security Fixes in Release Notes

Post by Coldfirex »

When are the security release pages going to be updated for the newer releases?
I still havent seen one for Veeam on Nutanix.
bcampbell
Influencer
Posts: 18
Liked: 7 times
Joined: Aug 08, 2019 6:09 pm
Full Name: bryan campbell
Location: indiana
Contact:

Re: Include Security Fixes in Release Notes

Post by bcampbell »

@gostev

With the release of agent for windows 5.0.1.4584 is there any way to get the KB article https://www.veeam.com/kb3108 updated with any potential security fixes?
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Include Security Fixes in Release Notes

Post by Gostev »

There's nothing to update it with...
Coldfirex
Enthusiast
Posts: 80
Liked: 15 times
Joined: May 22, 2015 1:41 pm
Full Name: Alan Shearer
Contact:

Re: Include Security Fixes in Release Notes

Post by Coldfirex »

Well thats not true.

kb3103 (or the nutanix one which I dont think exists yet still?) should at least be updated to include .NET Core 3.1 since 2.1 was EOL. Additionally the Veeam Proxy was supposed to be upgraded from eol Ubutnu 16.04 to 18.04.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Include Security Fixes in Release Notes

Post by Gostev »

Reading the thread should make it obvious that I answered to bcampbell, who asked me personally the very specific question.

Nutanix is something you were discussing with PTide, so he was taking care of that... I assume he will check with the responsible team and answer.
bcampbell
Influencer
Posts: 18
Liked: 7 times
Joined: Aug 08, 2019 6:09 pm
Full Name: bryan campbell
Location: indiana
Contact:

Re: Include Security Fixes in Release Notes

Post by bcampbell » 2 people like this post

Gostev thanks for the response

If there are no security fixes can the KB at lease be updated to show that? Other releases show that.

example
---------------------------------------
4.0.1.2169

No security related changes.
----------------------------------------

This may seem trivial, but this page https://www.veeam.com/kb3108 is something our compliance team relies on for evidence. We get audited every year on these of things. Not trying to be rude but I cannot use this forum and your response of "There's nothing to update it with..." as a form of credible evidence.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Include Security Fixes in Release Notes

Post by Gostev » 1 person likes this post

Sure, this should not be a problem to add.
bcampbell
Influencer
Posts: 18
Liked: 7 times
Joined: Aug 08, 2019 6:09 pm
Full Name: bryan campbell
Location: indiana
Contact:

Re: Include Security Fixes in Release Notes

Post by bcampbell » 4 people like this post

Thanks for the update Gostev. I see the page is updated and it is exactly what I need. Thanks for the quick turn around.
Coldfirex
Enthusiast
Posts: 80
Liked: 15 times
Joined: May 22, 2015 1:41 pm
Full Name: Alan Shearer
Contact:

Re: Include Security Fixes in Release Notes

Post by Coldfirex » 2 people like this post

Nutanix AHV security fix KB article published: https://www.veeam.com/kb4236
bcampbell
Influencer
Posts: 18
Liked: 7 times
Joined: Aug 08, 2019 6:09 pm
Full Name: bryan campbell
Location: indiana
Contact:

Re: Include Security Fixes in Release Notes

Post by bcampbell »

Gostev can the KB article be updated to reflect any security or non security fixes for Agent 5.0.2.4680.
https://www.veeam.com/kb3108

I'm going to need that page updated sometime by the end of this month when I do my patch assessments.

Additionally is there someone else I can bug about getting that page updated on the release of updates? Or do I need to just post here every time I see an update?
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Include Security Fixes in Release Notes

Post by Gostev »

Our security team will take over this going forward so hopefully you won't need to bug us PMs here any longer ;)
bcampbell
Influencer
Posts: 18
Liked: 7 times
Joined: Aug 08, 2019 6:09 pm
Full Name: bryan campbell
Location: indiana
Contact:

Re: Include Security Fixes in Release Notes

Post by bcampbell » 1 person likes this post

Hey Gostev. It’s me again…. Lol great presentation today btw.

Hey can we get the veeam agent security vulnerabilities page updated if there are any vulnerability fixes with agent 6.0.
https://www.veeam.com/kb3108

I know you said the security team was handling this so let me know if I should reach out somewhere else.

Thanks for all the great work.
HannesK
Product Manager
Posts: 14301
Liked: 2880 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Include Security Fixes in Release Notes

Post by HannesK »

Hello,
the security team is working on updating the KB article.

Best regards
Hannes
Coldfirex
Enthusiast
Posts: 80
Liked: 15 times
Joined: May 22, 2015 1:41 pm
Full Name: Alan Shearer
Contact:

Re: Include Security Fixes in Release Notes

Post by Coldfirex »

Howdy,
Can we have the Nutanix AHV one updated too please?

https://www.veeam.com/kb4236
HannesK
Product Manager
Posts: 14301
Liked: 2880 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Include Security Fixes in Release Notes

Post by HannesK »

Hello,
yes, it should be updated soon.

Best regards,
Hannes
bcampbell
Influencer
Posts: 18
Liked: 7 times
Joined: Aug 08, 2019 6:09 pm
Full Name: bryan campbell
Location: indiana
Contact:

Re: Include Security Fixes in Release Notes

Post by bcampbell »

Is it possible to get the KB article https://www.veeam.com/kb3108 updated for the new version 6.1 if there are security fixes or not. If there are no security fixes can it just state that there are none? I have to ask every time a there is a new release. We are bound by NERC CIP compliance to have something wirtten to show auditors.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Include Security Fixes in Release Notes

Post by Gostev »

Yes, it should be updated soon. I too needed it earlier today so I already complained to the security team :)
Post Reply

Who is online

Users browsing this forum: Bing [Bot], MikeMoenich, Semrush [Bot] and 154 guests