Hi Patrick, On Tue, Nov 06, 2018 at 12:28:06PM +0100, Salvatore Bonaccorso wrote: > Hi Patrick, > > On Tue, Nov 06, 2018 at 11:19:03AM +0100, Salvatore Bonaccorso wrote: > > Control: notfixed -1 4.1.5-1 > > > > Hi Patrick, > > > > On Tue, Nov 06, 2018 at 10:52:53AM +0100, Patrick Matthäi wrote: > > > fixed #912997 4.1.5-1 > > [...] > > > > > > If I see it correct, there is no issue open here? > > > > Don't think this is correct. For instance just take CVE-2018-14661, > > this is still unresolved in 4.1.5-1 and 5.0-1. Same for > > CVE-2018-14660, CVE-2018-14659, CVE-2018-14654, CVE-2018-14653. > > > > CVE-2018-14652 seems fixed in 5.0-1, but needs double check. > > > > CVE-2018-14651 is as well missing as far I can see from 4.1.5-1 and > > 5.0-1. > > Just to be clear, I'm not 100% certain but just skimmed over the > 4.1.5-1 and 5.0-1 and that was I think the fixes are not included in > neither 4.1.5 upstream nor 5.0.
So I had a closer look tonight, I'm trying to give some status update all relevant links are in the security-tracker itself already tracked. CVE-2018-14651: looks unrelsoved in both release-4.1 and release-5. Gerrit-Review is as tracked in the security-tracker in https://review.gluster.org/#/c/glusterfs/+/21527/ . CVE-2018-14652: not fixed in 4.1.5, but in later commit e2c195712a9ecbda4fa02f5308138a1257a2558a . The fix is just part of another code change upstream as per 052849983e51a061d7fb2c3ffd74fa78bb257084 which was already in v5.0alpha. As such my previous statement beeing fixed in 5.0-1 is right. CVE-2018-14653: not yet a fix in neither release-5 nor release-4.1, just in review status in gerrit. See extracted commits in security-tracker. I guess this is upstream still in proper review status even if Red Hat has already scheduled updates. CVE-2018-14654: for release-4.1 commited, but not in a released version (5f4ae8a80543332a2e92dfa5c7f833ae7b93a664). For release-5 it is dc775c4ae052d1e9d0f61ace3be999f73f0ffa23 . CVE-2018-14659 unrelesolved in release-5 and release-4.1. CVE-2018-14660 fix under review, not yet commited to release-5 or release-4.1 branch. CVE-2018-14661 see review status in Gerrit. Still not yet commited to release-5 nor release-4.1 branches. So I think apart one CVE which is fixed in 5.0-1 all other are yet unadressed upstream. Regards, Salvatore
