fixed #912997 4.1.5-1 thanks Hi
Am 05.11.2018 um 19:09 schrieb Markus Koschany: > Package: glusterfs > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerabilities were published for glusterfs. > > CVE-2018-14651[0]: > | It was found that the fix for CVE-2018-10927, CVE-2018-10928, > | CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A > | remote, authenticated attacker could use one of these flaws to execute > | arbitrary code, create arbitrary files, or cause denial of service on > | glusterfs server nodes via symlinks to relative paths. > > CVE-2018-14652[1]: > | The Gluster file system through versions 3.12 and 4.1.4 is vulnerable > | to a buffer overflow in the 'features/index' translator via the code > | handling the 'GF_XATTR_CLRLK_CMD' xattr in the 'pl_getxattr' function. > | A remote authenticated attacker could exploit this on a mounted volume > | to cause a denial of service. > > CVE-2018-14653[2]: > | The Gluster file system through versions 4.1.4 and 3.12 is vulnerable > | to a heap-based buffer overflow in the '__server_getspec' function via > | the 'gf_getspec_req' RPC message. A remote authenticated attacker > | could exploit this to cause a denial of service or other potential > | unspecified impact. > > CVE-2018-14654[3]: > | The Gluster file system through version 4.1.4 is vulnerable to abuse > | of the 'features/index' translator. A remote attacker with access to > | mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY' > | xattrop to create arbitrary, empty files on the target server. > > CVE-2018-14659[4]: > | The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable > | to a denial of service attack via use of the > | 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker > | could exploit this by mounting a Gluster volume and repeatedly calling > | 'setxattr(2)' to trigger a state dump and create an arbitrary number > | of files in the server's runtime directory. > > CVE-2018-14660[5]: > | A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 > | which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, > | authenticated attacker could use this flaw to create multiple locks > | for single inode by using setxattr repetitively resulting in memory > | exhaustion of glusterfs server node. > > CVE-2018-14661[6]: > | It was found that usage of snprintf function in feature/locks > | translator of glusterfs server 3.8.4, as shipped with Red Hat Gluster > | Storage, was vulnerable to a format string attack. A remote, > | authenticated attacker could use this flaw to cause remote denial of > | service. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-14651 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14651 > [1] https://security-tracker.debian.org/tracker/CVE-2018-14652 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14652 > [2] https://security-tracker.debian.org/tracker/CVE-2018-14653 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14653 > [3] https://security-tracker.debian.org/tracker/CVE-2018-14654 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14654 > [4] https://security-tracker.debian.org/tracker/CVE-2018-14659 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14659 > [5] https://security-tracker.debian.org/tracker/CVE-2018-14660 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14660 > [6] https://security-tracker.debian.org/tracker/CVE-2018-14661 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14661 > > Please adjust the affected versions in the BTS as needed. > > Regards, > > Markus > If I see it correct, there is no issue open here? -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: http://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */
signature.asc
Description: OpenPGP digital signature