Announcing Darga-5

We have built Darga-5. This release contains security fixes, bug fixes, numerous UI tweaks, and stabilisation.

Here are the Security Fixes:

  • CVE-2016-5402 - A code injection flaw was found in the way capacity and utilisation imported control files are processed. A remote, authenticated attacker with access to the capacity and utilisation feature could use this flaw to execute arbitrary code as the user CFME runs as. This issue was discovered by Simon Lukasik (Red Hat).

  • CVE-2016-7071 - It was found that the CloudForms did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.

If you’d like to see the other items added since Darga-4.1 please take a look at the blog announcement and changelog.

Feel free to download Darga-5. If you have any questions or require support, join our discussion forum.