Accepted glusterfs 3.8.8-1+deb9u1 (source) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 01 Nov 2021 23:02:25 +0100
Source: glusterfs
Architecture: source
Version: 3.8.8-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Changes:
glusterfs (3.8.8-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2018-14651:
It was found that the fix for CVE-2018-10927, CVE-2018-10928,
CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A
remote, authenticated attacker could use one of these flaws to execute
arbitrary code, create arbitrary files, or cause denial of service on
glusterfs server nodes via symlinks to relative paths.
* Fix CVE-2018-14652:
The Gluster file system is vulnerable to a buffer overflow in the
'features/index' translator via the code handling the 'GF_XATTR_CLRLK_CMD'
xattr in the 'pl_getxattr' function. A remote authenticated attacker could
exploit this on a mounted volume to cause a denial of service.
* Fix CVE-2018-14653:
The Gluster file system is vulnerable to a heap-based buffer overflow in
the '__server_getspec' function via the 'gf_getspec_req' RPC message. A
remote authenticated attacker could exploit this to cause a denial of
service or other potential unspecified impact.
* Fix CVE-2018-14659:
The Gluster file system is vulnerable to a denial of service attack via use
of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker
could exploit this by mounting a Gluster volume and repeatedly calling
'setxattr(2)' to trigger a state dump and create an arbitrary number of
files in the server's runtime directory.
* Fix CVE-2018-14661:
It was found that usage of snprintf function in feature/locks translator of
glusterfs server, as shipped with Red Hat Gluster Storage, was vulnerable
to a format string attack. A remote, authenticated attacker could use this
flaw to cause remote denial of service.
* Fix CVE-2018-10904, CVE-2018-10907, CVE-2018-10911, CVE-2018-10913,
CVE-2018-10914, CVE-2018-10923, CVE-2018-10926, CVE-2018-10927,
CVE-2018-10928, CVE-2018-10929 and CVE-2018-10930.
Multiple security vulnerabilites were discovered in glusterfs. Buffer
overflows and path traversal issues may lead to information disclosure,
denial-of-service or the execution of arbitrary code.
* Fix CVE-2018-1088:
A privilege escalation flaw was found in the snapshot scheduler.
Any gluster client allowed to mount gluster volumes could also mount shared
gluster storage volume and escalate privileges by scheduling malicious
cronjob via symlink.
* Fix CVE-2018-10841:
glusterfs is vulnerable to privilege escalation on gluster server nodes. An
authenticated gluster client via TLS could use gluster cli with
--remote-host command to add it self to trusted storage pool and perform
privileged gluster operations like adding other machines to trusted storage
pool, start, stop, and delete volumes.
* Fix CVE-2018-14654:
The Gluster file system is vulnerable to abuse of the 'features/index'
translator. A remote attacker with access to mount volumes could exploit
this via the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty
files on the target server.
* Fix CVE-2018-14660:
A flaw was found in glusterfs server which allowed repeated usage of
GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this
flaw to create multiple locks for single inode by using setxattr
repetitively resulting in memory exhaustion of glusterfs server node.
Checksums-Sha1:
bc1778a2f90b226b884d528936d4a436ff90c7f4 2438 glusterfs_3.8.8-1+deb9u1.dsc
0743589903179b4e28bd0114820ac085b4e2b159 8499783 glusterfs_3.8.8.orig.tar.gz
2fcb9d475d67dfa7d57a1f249555f40845bee765 35624 glusterfs_3.8.8-1+deb9u1.debian.tar.xz
0c1ce95e0b56f52da07822e3bea0a2e5c43d5148 5838 glusterfs_3.8.8-1+deb9u1_source.buildinfo
Checksums-Sha256:
2a71cf24864713c5d2505ebcd8e29c6c4fc93b2e3b399dbd210c1e06c6a388b2 2438 glusterfs_3.8.8-1+deb9u1.dsc
db6fd3cb7ec4d60649ac8e5549f335df0c0f1978c3ef36738d2711204809d87e 8499783 glusterfs_3.8.8.orig.tar.gz
5cb8987c8c4c0e1e56654aa13b1896a443f209c7bce9bef8de7307b6d8e12464 35624 glusterfs_3.8.8-1+deb9u1.debian.tar.xz
7d2522a1faf42687215fd704af6383c7ad8665653a710e30290bac68c26ec9e2 5838 glusterfs_3.8.8-1+deb9u1_source.buildinfo
Files:
c014d97ceadf825641127c25a1071784 2438 admin optional glusterfs_3.8.8-1+deb9u1.dsc
c308d14ed9997373dd1b473f141f7ff5 8499783 admin optional glusterfs_3.8.8.orig.tar.gz
c61b964acda7bd6e34846f8a60b0b12f 35624 admin optional glusterfs_3.8.8-1+deb9u1.debian.tar.xz
9cbdc322ca809cfc7770a506b46be30d 5838 admin optional glusterfs_3.8.8-1+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGAZfhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkaJAQAKZ82k5p9960AMdjZ3rx2xEwChWE90fzZyYI
rLDBnLd8r/C9e0CTyAnVuArmAbINyVbOvIHE97n66aj/VpNm2vYvVTJTp/GR4TeJ
JA+JO+YkTrX0dx4fekwr2tah4sy1SRROsd7y9AUd4Y+xSdqhD8iXdTKzh20X707G
L7H9qfHec1ld6tcuRVdxL/5yjn9TD6RFfU9ZCkeX2btW3oQo4hYFhkGURcEu/54+
qKUiGyaUJR0UKshDRxaHS2/j5h6b8SgvhW0n+szIPzzC9dVzlL/zSlzkeLNhkASL
oTRIiQ+jMTWWE2ZgpH3AM7xIJZ4eV9wM916CmsTIAf4AowMDp4lMNnajVmqNTHXT
s2mjAaTP1inhXHZP0o+mtXCVSZMna5YtKXPltuDkyrdpKEM5zNpajItdKri943GQ
gaPFDDQKfsydWO/CmOTBxkWZHUrR4BKCI65ZsAWq89t5QtJzdptkRhz4NyWNWMx0
QazKMsVxZ2v6pKGkoq6R3qhbcbOJGCeaAvjSHPHSZjWvhxA1jhAT5dJ5LmPNg8UM
ukLvpTYvAiwRBYJlGKBPjbeNg+rFrnxxWi+keaWjDEqA2Olk24jLjY8fIn8bVIAu
/0TILjP1BeA6BROTKWR+V8uRBX1fV1/kWc3uIkYwrluo7JbXiG9VlZ/ak2ZspXvG
HhHN+GKS
=byAj
-----END PGP SIGNATURE-----
Reply to: