Bug#901968: marked as done (glusterfs: CVE-2018-10841: access trusted peer group via remote-host command)

[Debian Bug Tracking System]

Your message dated Thu, 26 Jul 2018 13:04:31 +0000
with message-id <e1fifwv-0002qq...@fasolo.debian.org>
and subject line Bug#901968: fixed in glusterfs 4.1.2-1
has caused the Debian Bug report #901968,
regarding glusterfs: CVE-2018-10841: access trusted peer group via remote-host 
command
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
901968: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901968
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: glusterfs
Version: 3.8.8-1
Severity: grave
Tags: patch security upstream

Hi,

The following vulnerability was published for glusterfs.

CVE-2018-10841[0]:
| glusterfs is vulnerable to privilege escalation on gluster server
| nodes. An authenticated gluster client via TLS could use gluster cli
| with --remote-host command to add it self to trusted storage pool and
| perform privileged gluster operations like adding other machines to
| trusted storage pool, start, stop, and delete volumes.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10841
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10841
[1] 
http://git.gluster.org/cgit/glusterfs.git/commit/?id=e8d928e34680079e42be6947ffacc4ddd7defca2
[2] https://review.gluster.org/#/c/20328/

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: glusterfs
Source-Version: 4.1.2-1

We believe that the bug you reported is fixed in the latest version of
glusterfs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 901...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatth...@debian.org> (supplier of updated glusterfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 26 Jul 2018 14:23:11 +0200
Source: glusterfs
Binary: glusterfs-client glusterfs-server glusterfs-common
Architecture: source amd64
Version: 4.1.2-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatth...@debian.org>
Changed-By: Patrick Matthäi <pmatth...@debian.org>
Description:
 glusterfs-client - clustered file-system (client package)
 glusterfs-common - GlusterFS common libraries and translator modules
 glusterfs-server - clustered file-system (server package)
Closes: 901968
Changes:
 glusterfs (4.1.2-1) unstable; urgency=high
 .
   * New upstream release.
     - Fixes CVE-2018-10841: Access trusted peer group via remote-host command.
       Closes: #901968
     - Drop patch 02-shell-syntax-error.
     - Install new gsyncd.conf file.
   * Merge 4.0.2-1~bpo9+1 changelog.
   * Remove trailing whitespace from debian/changelog.
   * Adjust lintian warnings.
   * Bump Standards-Version to 4.1.5.
   * Merge patch 03-spelling-errors into 01-spelling-error.
   * Adjust lintian overrides.
   * Correct patch 04-systemd-fixes. The documentation key is placed in the unit
     section now.
Checksums-Sha1:
 59a05faa74424db96b174d26a66695cc6d6db75c 2157 glusterfs_4.1.2-1.dsc
 b0df039cc148680096a64aeab403f3b6b74670f2 7830484 glusterfs_4.1.2.orig.tar.gz
 68f8bdb69ac2a60d5ed537f48681535c8a255ca6 17656 glusterfs_4.1.2-1.debian.tar.xz
 f2aa8cee20dad6ad0a4b29ca82bb697f408d0e21 37608 
glusterfs-client-dbgsym_4.1.2-1_amd64.deb
 1da6d22a093c8413b487d3e6b38d83005ce9dd1f 2352296 
glusterfs-client_4.1.2-1_amd64.deb
 598ad54b57a8abbe866575d315fb8cfc2dcd37c4 18357852 
glusterfs-common-dbgsym_4.1.2-1_amd64.deb
 cf38f814fd22d58ea2c141e7127f3756fd8b9a30 5691720 
glusterfs-common_4.1.2-1_amd64.deb
 50436b5fe58610822cc955b78984263278e281b1 750848 
glusterfs-server-dbgsym_4.1.2-1_amd64.deb
 428710523b26d003b1e6690c8f6dc8c837a8b0a5 2525784 
glusterfs-server_4.1.2-1_amd64.deb
 fb009456779dd73f20285eb085e06544e1809696 10666 
glusterfs_4.1.2-1_amd64.buildinfo
Checksums-Sha256:
 f11e59ae4bb5a3d61ceedb1bd4edabb801c26f88eaf1254fb4479fa66e55600c 2157 
glusterfs_4.1.2-1.dsc
 6f0b01c082fec65134eea43b2e4df8d4b55269f43b7d330e81eaad920d7c63e5 7830484 
glusterfs_4.1.2.orig.tar.gz
 a2e436e1adb968a9cb430fd423d3563ca512a036e3deea607bf8f77c918389f1 17656 
glusterfs_4.1.2-1.debian.tar.xz
 a5621f165ebc60e1d184b171d751369b178218fd5398443bb3f928ee08532479 37608 
glusterfs-client-dbgsym_4.1.2-1_amd64.deb
 be3527599b517b8b30aea027735b979b21fb49ab4c30a3c8b18af3268149fbd5 2352296 
glusterfs-client_4.1.2-1_amd64.deb
 eaebfbf0462af39cf06099100a567fb551aae62be7fa406bd514abf170a4fd53 18357852 
glusterfs-common-dbgsym_4.1.2-1_amd64.deb
 1edb95b45e89335c092d6ee805f327dfe8a79afc23e7ba10071dcc0fbffecc38 5691720 
glusterfs-common_4.1.2-1_amd64.deb
 f7c7097851c9e45ae166c2344c2de7d0157264ac1a3e49de958ea62bb5fc8316 750848 
glusterfs-server-dbgsym_4.1.2-1_amd64.deb
 70be815be873a5b6462ad194f34904b58840791d17b66a27f970ec45c51ac095 2525784 
glusterfs-server_4.1.2-1_amd64.deb
 b36eaf43ed0998ea95ea55673ab5c699540a27e9a6711e2346d851cde9ff5c1b 10666 
glusterfs_4.1.2-1_amd64.buildinfo
Files:
 97e6e3d10bafbce5207f1faadc5dd21c 2157 admin optional glusterfs_4.1.2-1.dsc
 d2eaac2ca495d090a0eb497dfb4bfe5d 7830484 admin optional 
glusterfs_4.1.2.orig.tar.gz
 0b89dfff0155c3d0e30da81605ff7d9f 17656 admin optional 
glusterfs_4.1.2-1.debian.tar.xz
 a8655e711baf043e828cc8fd4092441d 37608 debug optional 
glusterfs-client-dbgsym_4.1.2-1_amd64.deb
 627d7cf371f9d1d4667d2f63e668e125 2352296 admin optional 
glusterfs-client_4.1.2-1_amd64.deb
 ebc43b0bf9aa3f481aeaa9bf9f827c2a 18357852 debug optional 
glusterfs-common-dbgsym_4.1.2-1_amd64.deb
 64b0f1519a6cf4c8f3f04711f52d093a 5691720 admin optional 
glusterfs-common_4.1.2-1_amd64.deb
 3fb24dfe2a199f60caf359b4b86b5815 750848 debug optional 
glusterfs-server-dbgsym_4.1.2-1_amd64.deb
 4211c60a334ec853b89291326d4cceb4 2525784 admin optional 
glusterfs-server_4.1.2-1_amd64.deb
 45d055564ed94fb858d7921446824a2d 10666 admin optional 
glusterfs_4.1.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAltZxCEACgkQEtmwSpDL
2OSP0RAAoCnoZIQmqXiuaIffI/dk9spZhjzb8Z34uMhihR8HrKdNfax98YLC+0PV
CkmkWn0Oqr/mLgFpoCXievbibh12S4rSFQ4NeL3zYGmixVUa1zBKdmHt2fcMO0Y8
KYv5bObsZNCeTbN9LyNVNlijqPKyKSgAZqXhs5//V/LjVPaU7rqpfbs4Or8J4s9O
pIeZ78+h4lbF36XONlbrjsk9l/k6FjHkAxi9VeRH9tFA/SwWl55emVRFUx8lGMPT
AIZYnyOfR6MdS0aHGzAsUx9EgY1saEBiIlBxUTSEqB/+JTLlM5Fg2sHeDy3S5lC1
kqSrKZlBYUN8twybO0Ko0OTOp0W5+MLLiTbTWdTL9V1dd1l2VVwdTGLB3boHZWBL
mUvZi10jJ7xApemVVHdcJerynm4OGtcx7VRkrK+cX7xDVR+SZlCBqR8xlSJiG9vO
z3BtgVfNDba06f0fHGrkMBkefCmq2CVWz1jd3sZ7qASvAQGG4BnOas8kdmOdprHT
HBnPTmsDQnn8n3vqcDd6fIcguiZUzV+4hKISN7GWUdfENHGFx2iuUB5aT+MtPPEC
eRTKaQIN6d1EbKR/2rvzM/nviqayIRK+z9Dec2nffQGI7aWsWnTKL/o/R4y9EB2Y
kTXuIscFnOvoE046JAePIECEQfwVRSskv5TLFdvIgq/3A7zm7ZA=
=jgkQ
-----END PGP SIGNATURE-----

--- End Message ---