March 8, 2019
By Matt Stone
In the last couple of weeks StackStorm has published back-to-back releases. 2.10.2 is a traditional patch release from StackStorm, and you’ll find some of the highlights below. 2.10.3 and 2.9.3; however, are releases to address CVE-2019-9580. I want to thank Barak Tawily and Anna Tsibulskaya: the researchers who discovered and submitted a patch for the issue.
The issue found by Barak and Anna is an improper handling of CORS headers. Specifically what the StackStorm API returned for Access-Control-Allow-Origin
. Prior to 2.10.3/2.9.3, if the origin of the request was unknown, we would return null
. As Mozilla’s documentation will show, and client behavior will back up, null
can result in a successful request from an unknown origin in some clients. Allowing the possibility of XSS style attacks against the StackStorm API. The fix for this is relatively straightforward, and, as of 2.10.3/2.9.3, if the origin is unknown StackStorm will return the first valid origin in the Access-Control-Allow-Origin
header.
Thanks again to Barak and Anna for the report, and if you are a researcher or user that discovers a security issue please reach out to moc.mrotskcatsnull@ofni.
Now back to our regularly scheduled release blog.
Our latest release continues StackStorm on its journey to 3.0, and has a plethora of bug and performance fixes. We continue to bring Orquesta closer to GA, and the community has been an great asset both reporting new issues as well as providing new feature requests. Some of the release highlights include:
messaging
section in st2.conf
config file.st2notifier
serviceAs always, you can check the release notes for the complete list of changes. We’ll see you again soon for 3.0.
Jan 30, 2019
By Tomaz Muraus
2018 is behind us and first of all we would like to thank all of our users, community members and customers for supporting us and making 2018 a successful year.
In this post we would like to have a look at the various things we have released and important milestones we have reached in 2018.
In addition to that, we would like to ask you to spare 10 minutes of your time by completing the StackStorm 2019 User Survey. Completing the survey will give us a better idea on how you use StackStorm. This will help us prioritize our feature development for 2019, make StackStorm better and help you become more successful.
Jan 15, 2019
By Eugen
We’re very excited to announce that Ansible roles to deploy StackStorm have been promoted to major version 1.0.0
!
Dec 20, 2018
By Tomaz Muraus
Today we are announcing the release of StackStorm v2.9.2 and StackStorm v2.10.1.
Those two patch releases fix a security issue which has been reported to us this week by one of our users (Alexandre Juma – thanks!).
Dec 14, 2018
By Lindsay Hill
Thought you could wind down for the change freeze? Sorry, we’ve got one last thing for you to do: Upgrade StackStorm to 2.10! Orquesta is now ready for almost all workflow use-cases. We’ve also done a big update to our ChatOps internals, and we have early-access Ubuntu 18 + Python 3 packages (for test only!). Read on for full details:
November 27, 2018
by Lindsay Hill
We have been doing a little tidying up around here, giving the website a small facelift. Our contributors have not rested either, with more pack updates including NetBox, PagerDuty, Atlassian Crowd and InfluxDB. Here’s the details:
October 23, 2018
by Lindsay Hill
Late October already – where did the year go? Well at least part of it was spent making StackStorm better, and adding new packs and actions to the StackStorm Exchange. Read on for more details about StackStorm 2.9.1, and pack updates to ManageIQ, Jira, ServiceNow, InfluxDB, vSphere, and more:
Oct 10, 2018
By Warren Van Winckel and Eugen
A couple weeks ago, we released the Helm chart and docker images so you could install StackStorm Enterprise HA cluster in Kubernetes.
Today, we’re glad to announce that the Community free and open source edition of StackStorm HA is now available, too! With this update we are excited to bring Kubernetes powers to the broader community and strive for greater adoption in production with better safety for all important operations you delegate to StackStorm automation engine.
Sep 26, 2018
By Eugen and Warren Van Winckel
More groups are progressing from just talking about Event-Driven Automation to actually doing it in practice. StackStorm helps make this easy. When organizations start offloading business-critical tasks and automating for real it becomes essential to ensure that the Automation engine itself is not a single point of failure when it is responsible for recovering a fleet of servers, managing datacenters, and automating remediations.
StackStorm was designed to be cloud-native, API-driven, easily deployed, microservice-oriented, resilient and can be scaled out horizontally to fulfill High Availability and/or High Load demands.
Previously we only documented best practices describing how to distribute StackStorm in HA mode (docs.stackstorm.com/reference/ha.html), giving a high level overview regarding StackStorm design and how to ensure its redundancy. Based on those recommendations, some companies were spending weeks to months to codify a complex st2 HA infrastructure and iterate over their deployments until finding that “silver bullet” stability/production state.
Sep 25, 2018
By Lindsay Hill
New Streaming & Inquiries Apps in the Web UI, Orquesta second beta, Helm Chart for running StackStorm in HA mode on Kubernetes, new Windows runners, and plenty of fixes and improvements: StackStorm 2.9 is ready to go! Here’s all the details: