Back to glusterfs PTS page

Accepted glusterfs 5.1-1 (source amd64) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted glusterfs 5.1-1 (source amd64) into unstable
From: Patrick Matthäi <pmatthaei@debian.org>
Date: Thu, 15 Nov 2018 10:50:57 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1gNFEf-0009b4-7S@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 15 Nov 2018 11:10:47 +0100
Source: glusterfs
Binary: glusterfs-client glusterfs-server glusterfs-common
Architecture: source amd64
Version: 5.1-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 glusterfs-client - clustered file-system (client package)
 glusterfs-common - GlusterFS common libraries and translator modules
 glusterfs-server - clustered file-system (server package)
Closes: 912997
Changes:
 glusterfs (5.1-1) unstable; urgency=high
 .
   * New upstream release.
     - Several security vulnerabilities are fixed.
       Closes: #912997
     - This release fixes CVE-2018-14651: It was found that the fix for
       CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and
       CVE-2018-10926 was incomplete. A remote, authenticated attacker could use
       one of these flaws to execute arbitrary code, create arbitrary files, or
       cause denial of service on glusterfs server nodes via symlinks to
       relative paths.
     - This release fixes CVE-2018-14654: The Gluster file system through version
       4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote
       attacker with access to mount volumes could exploit this via the
       'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the
       target server.
     - This release fixes CVE-2018-14659: The Gluster file system through
       versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via
       use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated
       attacker could exploit this by mounting a Gluster volume and repeatedly
       calling 'setxattr(2)' to trigger a state dump and create an arbitrary
       number of files in the server's runtime directory.
     - This release fixes CVE-2018-14660: A flaw was found in glusterfs server
       through versions 4.1.4 and 3.1.2 which allowed repeated usage of
       GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this
       flaw to create multiple locks for single inode by using setxattr
       repetitively resulting in memory exhaustion of glusterfs server node.
     - This release fixes CVE-2018-14661: It was found that usage of snprintf
       function in feature/locks translator of glusterfs server 3.8.4, as
       shipped with Red Hat Gluster Storage, was vulnerable to a format string
       attack. A remote, authenticated attacker could use this flaw to cause
       remote denial of service.
     - This release fixes CVE-2018-14653: The Gluster file system through
       versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in
       the '__server_getspec' function via the 'gf_getspec_req' RPC message. A
       remote authenticated attacker could exploit this to cause a denial of
       service or other potential unspecified impact.
   * Modify patch 04-systemd-fixes to use /run directory instead of /var/run.
   * Adjust lintian overrides.
   * CVE-2012-5635 was fixed a long time ago.
Checksums-Sha1:
 9e1e25d77c11cda06bbb12a27aaa10f1ea38f0db 2162 glusterfs_5.1-1.dsc
 ba745c0016a839e7fdaefc4d08710862c5ba7858 7604907 glusterfs_5.1.orig.tar.gz
 a73d8ddc1cc8757614b41e69db5d5681c515c1af 17804 glusterfs_5.1-1.debian.tar.xz
 691bd09c53a50dcd5f27ab58a5ec263d2b2eb8e0 37636 glusterfs-client-dbgsym_5.1-1_amd64.deb
 d2e10d3c45acf4571afed808184a820dd751f285 2475512 glusterfs-client_5.1-1_amd64.deb
 558704b86aa776fe05c6eedea6765b2669171ee0 18467652 glusterfs-common-dbgsym_5.1-1_amd64.deb
 85062a72f69b5cdf31c6255ff701d62d76f48be8 5820232 glusterfs-common_5.1-1_amd64.deb
 75069a2299740ff944f0ceb25734a7c056f47ff5 722080 glusterfs-server-dbgsym_5.1-1_amd64.deb
 1495ecbf83175fdbdfb5e46fde724a4abd7675c9 2648416 glusterfs-server_5.1-1_amd64.deb
 801c1d9dc9ae0ca74ee3a678665f34fbf70abdff 11611 glusterfs_5.1-1_amd64.buildinfo
Checksums-Sha256:
 46c6fd1b3eb74aeb973cbfb9233a89b97eb872cd69825dac407e62311be3668b 2162 glusterfs_5.1-1.dsc
 779d03cf50710043682b9c6f14ac4c7964a82d6423383b8e09ac86c9c6704f0e 7604907 glusterfs_5.1.orig.tar.gz
 71ce4da55216869991e1cf0705cc9cc997de2f91efab9627e84a374e6a1883b2 17804 glusterfs_5.1-1.debian.tar.xz
 575f58a9fe185c817a7ce2a9f4f0eb1ebbd58c518c953552c89f5c58412f541e 37636 glusterfs-client-dbgsym_5.1-1_amd64.deb
 a212174c83ddc74373ea563e925610cc593b9ea983b2bb5779354706ba2ed611 2475512 glusterfs-client_5.1-1_amd64.deb
 85ae963caa0eaa51cbb7d6ac1af04b21e01818545a6850e89c9f953170686123 18467652 glusterfs-common-dbgsym_5.1-1_amd64.deb
 ffb8b1d5bd9ef4c092f9e65bac7ed0acebe63cb147970191000ace5bd58c868c 5820232 glusterfs-common_5.1-1_amd64.deb
 43fe2e099e31a5b82cb57b2d20e702229ea1d4b6ad7e26371fdd28de1d6633c4 722080 glusterfs-server-dbgsym_5.1-1_amd64.deb
 cad1d3d8947d08e7b96a0d0ef36063c1f1b828df513a95f37e9b60b28eda4c20 2648416 glusterfs-server_5.1-1_amd64.deb
 59d8952bd45e73934971dcad3b105f7045c6363ecea8aa2c1650e206584cafe3 11611 glusterfs_5.1-1_amd64.buildinfo
Files:
 fc585368d58ad7e64511d69e925a78e8 2162 admin optional glusterfs_5.1-1.dsc
 f0b61496a761cf6bf149e9613596fd0e 7604907 admin optional glusterfs_5.1.orig.tar.gz
 f3c8984393c08b243a9158b28a7d4da9 17804 admin optional glusterfs_5.1-1.debian.tar.xz
 6d973f3418d646c8c1d0dcf09c464f6b 37636 debug optional glusterfs-client-dbgsym_5.1-1_amd64.deb
 e350b933b412307390ba00688c1562c8 2475512 admin optional glusterfs-client_5.1-1_amd64.deb
 bc1db8d0fc2ac29d4193ccfbb860943d 18467652 debug optional glusterfs-common-dbgsym_5.1-1_amd64.deb
 c692be461fd0fbba09c58306eb6e5128 5820232 admin optional glusterfs-common_5.1-1_amd64.deb
 b2c54b6015af298db7bef73b12e591c9 722080 debug optional glusterfs-server-dbgsym_5.1-1_amd64.deb
 7446e11375012456f9b26782dedb7bdf 2648416 admin optional glusterfs-server_5.1-1_amd64.deb
 6b3d7ed929057ce611a205a08b172c28 11611 admin optional glusterfs_5.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAlvtSmgACgkQEtmwSpDL
2OSRSw//Yhv7sbcqPxdkyo2q2Ey2ZsxDozMyV6jlQqHEzLb2CEihzYRcMgmyHXom
HRPWs6OkLjkVSbQpUXveMKpfzekIX852UICtzZewY6zPCOXorqcWnNKY4mI0fDDB
z1PeK6khGZ3lPoWmt57p2hsxH1MQYLOrOzO3nj2Huxws6g0P2pOwUA2PbC7SQ/5F
VnQuaQ9Qq7dOPV3AvWJuX2n3OZwKzNdPaZG6mVHElWx8VEqmvLVk7o5IEjwg1alC
ju5/E/CK5Venip1xHAMHhvOgYc+Go2RBIMdoEGVX5JAghFxoG1yu1I4Kr/kOp8nu
5XqqgjQjD2/tdd4/JzzC6GdlHlx4RA4/FjCngVyiXBOZaCKynsCTFOLN8EjBuw3M
Pl5W7DAcwi0NvokS891ijp4NhjMq1CvdQn099EwVZusxa2QgfWhih+74ra1ofNv0
li6jHwF0Ixmjq8pgQvenUGwrZD4ieFqGF4b1YaE1sCb4qmiMWx+j7SPHG2dUJwvs
JVPnFxg0b47/5n8wCntDKv7lBCxum/pGU8QVT9p6dnJxhD0csefRNvrvpa8S6az5
4/qLUt3M12MqkY91Yzd2NyiXRnbTDVt1JANYJrs2l0CVAp3rzgX/1Ik9AXPSbh+X
UEulu7VLCvV3NWu4EF1zvamkNk38Psu7WMPOPr4w+SrwsaWxB28=
=8UmG
-----END PGP SIGNATURE-----