glusterfs 5.1-1 source package in Ubuntu

Changelog

glusterfs (5.1-1) unstable; urgency=high

  * New upstream release.
    - Several security vulnerabilities are fixed.
      Closes: #912997
    - This release fixes CVE-2018-14651: It was found that the fix for
      CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and
      CVE-2018-10926 was incomplete. A remote, authenticated attacker could use
      one of these flaws to execute arbitrary code, create arbitrary files, or
      cause denial of service on glusterfs server nodes via symlinks to
      relative paths.
    - This release fixes CVE-2018-14654: The Gluster file system through version
      4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote
      attacker with access to mount volumes could exploit this via the
      'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the
      target server.
    - This release fixes CVE-2018-14659: The Gluster file system through
      versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via
      use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated
      attacker could exploit this by mounting a Gluster volume and repeatedly
      calling 'setxattr(2)' to trigger a state dump and create an arbitrary
      number of files in the server's runtime directory.
    - This release fixes CVE-2018-14660: A flaw was found in glusterfs server
      through versions 4.1.4 and 3.1.2 which allowed repeated usage of
      GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this
      flaw to create multiple locks for single inode by using setxattr
      repetitively resulting in memory exhaustion of glusterfs server node.
    - This release fixes CVE-2018-14661: It was found that usage of snprintf
      function in feature/locks translator of glusterfs server 3.8.4, as
      shipped with Red Hat Gluster Storage, was vulnerable to a format string
      attack. A remote, authenticated attacker could use this flaw to cause
      remote denial of service.
    - This release fixes CVE-2018-14653: The Gluster file system through
      versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in
      the '__server_getspec' function via the 'gf_getspec_req' RPC message. A
      remote authenticated attacker could exploit this to cause a denial of
      service or other potential unspecified impact.
  * Modify patch 04-systemd-fixes to use /run directory instead of /var/run.
  * Adjust lintian overrides.
  * CVE-2012-5635 was fixed a long time ago.

 -- Patrick Matthäi <email address hidden>  Thu, 15 Nov 2018 11:10:47 +0100