Accepted glusterfs 5.1-1 (source amd64) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 15 Nov 2018 11:10:47 +0100
Source: glusterfs
Binary: glusterfs-client glusterfs-server glusterfs-common
Architecture: source amd64
Version: 5.1-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
glusterfs-client - clustered file-system (client package)
glusterfs-common - GlusterFS common libraries and translator modules
glusterfs-server - clustered file-system (server package)
Closes: 912997
Changes:
glusterfs (5.1-1) unstable; urgency=high
.
* New upstream release.
- Several security vulnerabilities are fixed.
Closes: #912997
- This release fixes CVE-2018-14651: It was found that the fix for
CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and
CVE-2018-10926 was incomplete. A remote, authenticated attacker could use
one of these flaws to execute arbitrary code, create arbitrary files, or
cause denial of service on glusterfs server nodes via symlinks to
relative paths.
- This release fixes CVE-2018-14654: The Gluster file system through version
4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote
attacker with access to mount volumes could exploit this via the
'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the
target server.
- This release fixes CVE-2018-14659: The Gluster file system through
versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via
use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated
attacker could exploit this by mounting a Gluster volume and repeatedly
calling 'setxattr(2)' to trigger a state dump and create an arbitrary
number of files in the server's runtime directory.
- This release fixes CVE-2018-14660: A flaw was found in glusterfs server
through versions 4.1.4 and 3.1.2 which allowed repeated usage of
GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this
flaw to create multiple locks for single inode by using setxattr
repetitively resulting in memory exhaustion of glusterfs server node.
- This release fixes CVE-2018-14661: It was found that usage of snprintf
function in feature/locks translator of glusterfs server 3.8.4, as
shipped with Red Hat Gluster Storage, was vulnerable to a format string
attack. A remote, authenticated attacker could use this flaw to cause
remote denial of service.
- This release fixes CVE-2018-14653: The Gluster file system through
versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in
the '__server_getspec' function via the 'gf_getspec_req' RPC message. A
remote authenticated attacker could exploit this to cause a denial of
service or other potential unspecified impact.
* Modify patch 04-systemd-fixes to use /run directory instead of /var/run.
* Adjust lintian overrides.
* CVE-2012-5635 was fixed a long time ago.
Checksums-Sha1:
9e1e25d77c11cda06bbb12a27aaa10f1ea38f0db 2162 glusterfs_5.1-1.dsc
ba745c0016a839e7fdaefc4d08710862c5ba7858 7604907 glusterfs_5.1.orig.tar.gz
a73d8ddc1cc8757614b41e69db5d5681c515c1af 17804 glusterfs_5.1-1.debian.tar.xz
691bd09c53a50dcd5f27ab58a5ec263d2b2eb8e0 37636 glusterfs-client-dbgsym_5.1-1_amd64.deb
d2e10d3c45acf4571afed808184a820dd751f285 2475512 glusterfs-client_5.1-1_amd64.deb
558704b86aa776fe05c6eedea6765b2669171ee0 18467652 glusterfs-common-dbgsym_5.1-1_amd64.deb
85062a72f69b5cdf31c6255ff701d62d76f48be8 5820232 glusterfs-common_5.1-1_amd64.deb
75069a2299740ff944f0ceb25734a7c056f47ff5 722080 glusterfs-server-dbgsym_5.1-1_amd64.deb
1495ecbf83175fdbdfb5e46fde724a4abd7675c9 2648416 glusterfs-server_5.1-1_amd64.deb
801c1d9dc9ae0ca74ee3a678665f34fbf70abdff 11611 glusterfs_5.1-1_amd64.buildinfo
Checksums-Sha256:
46c6fd1b3eb74aeb973cbfb9233a89b97eb872cd69825dac407e62311be3668b 2162 glusterfs_5.1-1.dsc
779d03cf50710043682b9c6f14ac4c7964a82d6423383b8e09ac86c9c6704f0e 7604907 glusterfs_5.1.orig.tar.gz
71ce4da55216869991e1cf0705cc9cc997de2f91efab9627e84a374e6a1883b2 17804 glusterfs_5.1-1.debian.tar.xz
575f58a9fe185c817a7ce2a9f4f0eb1ebbd58c518c953552c89f5c58412f541e 37636 glusterfs-client-dbgsym_5.1-1_amd64.deb
a212174c83ddc74373ea563e925610cc593b9ea983b2bb5779354706ba2ed611 2475512 glusterfs-client_5.1-1_amd64.deb
85ae963caa0eaa51cbb7d6ac1af04b21e01818545a6850e89c9f953170686123 18467652 glusterfs-common-dbgsym_5.1-1_amd64.deb
ffb8b1d5bd9ef4c092f9e65bac7ed0acebe63cb147970191000ace5bd58c868c 5820232 glusterfs-common_5.1-1_amd64.deb
43fe2e099e31a5b82cb57b2d20e702229ea1d4b6ad7e26371fdd28de1d6633c4 722080 glusterfs-server-dbgsym_5.1-1_amd64.deb
cad1d3d8947d08e7b96a0d0ef36063c1f1b828df513a95f37e9b60b28eda4c20 2648416 glusterfs-server_5.1-1_amd64.deb
59d8952bd45e73934971dcad3b105f7045c6363ecea8aa2c1650e206584cafe3 11611 glusterfs_5.1-1_amd64.buildinfo
Files:
fc585368d58ad7e64511d69e925a78e8 2162 admin optional glusterfs_5.1-1.dsc
f0b61496a761cf6bf149e9613596fd0e 7604907 admin optional glusterfs_5.1.orig.tar.gz
f3c8984393c08b243a9158b28a7d4da9 17804 admin optional glusterfs_5.1-1.debian.tar.xz
6d973f3418d646c8c1d0dcf09c464f6b 37636 debug optional glusterfs-client-dbgsym_5.1-1_amd64.deb
e350b933b412307390ba00688c1562c8 2475512 admin optional glusterfs-client_5.1-1_amd64.deb
bc1db8d0fc2ac29d4193ccfbb860943d 18467652 debug optional glusterfs-common-dbgsym_5.1-1_amd64.deb
c692be461fd0fbba09c58306eb6e5128 5820232 admin optional glusterfs-common_5.1-1_amd64.deb
b2c54b6015af298db7bef73b12e591c9 722080 debug optional glusterfs-server-dbgsym_5.1-1_amd64.deb
7446e11375012456f9b26782dedb7bdf 2648416 admin optional glusterfs-server_5.1-1_amd64.deb
6b3d7ed929057ce611a205a08b172c28 11611 admin optional glusterfs_5.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAlvtSmgACgkQEtmwSpDL
2OSRSw//Yhv7sbcqPxdkyo2q2Ey2ZsxDozMyV6jlQqHEzLb2CEihzYRcMgmyHXom
HRPWs6OkLjkVSbQpUXveMKpfzekIX852UICtzZewY6zPCOXorqcWnNKY4mI0fDDB
z1PeK6khGZ3lPoWmt57p2hsxH1MQYLOrOzO3nj2Huxws6g0P2pOwUA2PbC7SQ/5F
VnQuaQ9Qq7dOPV3AvWJuX2n3OZwKzNdPaZG6mVHElWx8VEqmvLVk7o5IEjwg1alC
ju5/E/CK5Venip1xHAMHhvOgYc+Go2RBIMdoEGVX5JAghFxoG1yu1I4Kr/kOp8nu
5XqqgjQjD2/tdd4/JzzC6GdlHlx4RA4/FjCngVyiXBOZaCKynsCTFOLN8EjBuw3M
Pl5W7DAcwi0NvokS891ijp4NhjMq1CvdQn099EwVZusxa2QgfWhih+74ra1ofNv0
li6jHwF0Ixmjq8pgQvenUGwrZD4ieFqGF4b1YaE1sCb4qmiMWx+j7SPHG2dUJwvs
JVPnFxg0b47/5n8wCntDKv7lBCxum/pGU8QVT9p6dnJxhD0csefRNvrvpa8S6az5
4/qLUt3M12MqkY91Yzd2NyiXRnbTDVt1JANYJrs2l0CVAp3rzgX/1Ik9AXPSbh+X
UEulu7VLCvV3NWu4EF1zvamkNk38Psu7WMPOPr4w+SrwsaWxB28=
=8UmG
-----END PGP SIGNATURE-----