glusterfs 5.1-1 source package in Ubuntu
Changelog
glusterfs (5.1-1) unstable; urgency=high * New upstream release. - Several security vulnerabilities are fixed. Closes: #912997 - This release fixes CVE-2018-14651: It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths. - This release fixes CVE-2018-14654: The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote attacker with access to mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the target server. - This release fixes CVE-2018-14659: The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr(2)' to trigger a state dump and create an arbitrary number of files in the server's runtime directory. - This release fixes CVE-2018-14660: A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node. - This release fixes CVE-2018-14661: It was found that usage of snprintf function in feature/locks translator of glusterfs server 3.8.4, as shipped with Red Hat Gluster Storage, was vulnerable to a format string attack. A remote, authenticated attacker could use this flaw to cause remote denial of service. - This release fixes CVE-2018-14653: The Gluster file system through versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in the '__server_getspec' function via the 'gf_getspec_req' RPC message. A remote authenticated attacker could exploit this to cause a denial of service or other potential unspecified impact. * Modify patch 04-systemd-fixes to use /run directory instead of /var/run. * Adjust lintian overrides. * CVE-2012-5635 was fixed a long time ago. -- Patrick Matthäi <email address hidden> Thu, 15 Nov 2018 11:10:47 +0100
Upload details
- Uploaded by:
- Patrick Matthäi
- Uploaded to:
- Sid
- Original maintainer:
- Patrick Matthäi
- Architectures:
- any
- Section:
- admin
- Urgency:
- Very Urgent
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
glusterfs_5.1-1.dsc | 2.1 KiB | 46c6fd1b3eb74aeb973cbfb9233a89b97eb872cd69825dac407e62311be3668b |
glusterfs_5.1.orig.tar.gz | 7.3 MiB | 779d03cf50710043682b9c6f14ac4c7964a82d6423383b8e09ac86c9c6704f0e |
glusterfs_5.1-1.debian.tar.xz | 17.4 KiB | 71ce4da55216869991e1cf0705cc9cc997de2f91efab9627e84a374e6a1883b2 |
Available diffs
- diff from 5.0-1 to 5.1-1 (37.2 KiB)
No changes file available.
Binary packages built by this source
- glusterfs-client: No summary available for glusterfs-client in ubuntu disco.
No description available for glusterfs-client in ubuntu disco.
- glusterfs-client-dbgsym: No summary available for glusterfs-client-dbgsym in ubuntu disco.
No description available for glusterfs-
client- dbgsym in ubuntu disco.
- glusterfs-common: No summary available for glusterfs-common in ubuntu disco.
No description available for glusterfs-common in ubuntu disco.
- glusterfs-common-dbgsym: No summary available for glusterfs-common-dbgsym in ubuntu disco.
No description available for glusterfs-
common- dbgsym in ubuntu disco.
- glusterfs-server: No summary available for glusterfs-server in ubuntu disco.
No description available for glusterfs-server in ubuntu disco.
- glusterfs-server-dbgsym: No summary available for glusterfs-server-dbgsym in ubuntu disco.
No description available for glusterfs-
server- dbgsym in ubuntu disco.