Hi, On Thu, Apr 19, 2018 at 11:07:13PM +0200, Markus Koschany wrote: > Package: glusterfs > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerability was published for glusterfs. > > CVE-2018-1088[0]: > | A privilege escalation flaw was found in gluster 3.x snapshot > | scheduler. Any gluster client allowed to mount gluster volumes could > | also mount shared gluster storage volume and escalate privileges by > | scheduling malicious cronjob via symlink. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-1088 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088 > > Please adjust the affected versions in the BTS as needed.
When fixing the issue, please see https://bugzilla.redhat.com/show_bug.cgi?id=1570891 . The original patches did make possible that where auth.allow is used, all clients could mount volumes. So this comment just to make sure the complete fix will be applied, updated notes on security-tracker. Regards, Salvatore
