Bug#912997: marked as done (glusterfs: Several security vulnerabilities)

Thu, 15 Nov 2018 02:54:43 -0800 

Your message dated Thu, 15 Nov 2018 10:50:57 +0000
with message-id <e1gnfef-0009ba...@fasolo.debian.org>
and subject line Bug#912997: fixed in glusterfs 5.1-1
has caused the Debian Bug report #912997,
regarding glusterfs: Several security vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
912997: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912997
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: glusterfs
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for glusterfs.

CVE-2018-14651[0]:
| It was found that the fix for CVE-2018-10927, CVE-2018-10928,
| CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A
| remote, authenticated attacker could use one of these flaws to execute
| arbitrary code, create arbitrary files, or cause denial of service on
| glusterfs server nodes via symlinks to relative paths.

CVE-2018-14652[1]:
| The Gluster file system through versions 3.12 and 4.1.4 is vulnerable
| to a buffer overflow in the 'features/index' translator via the code
| handling the 'GF_XATTR_CLRLK_CMD' xattr in the 'pl_getxattr' function.
| A remote authenticated attacker could exploit this on a mounted volume
| to cause a denial of service.

CVE-2018-14653[2]:
| The Gluster file system through versions 4.1.4 and 3.12 is vulnerable
| to a heap-based buffer overflow in the '__server_getspec' function via
| the 'gf_getspec_req' RPC message. A remote authenticated attacker
| could exploit this to cause a denial of service or other potential
| unspecified impact.

CVE-2018-14654[3]:
| The Gluster file system through version 4.1.4 is vulnerable to abuse
| of the 'features/index' translator. A remote attacker with access to
| mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY'
| xattrop to create arbitrary, empty files on the target server.

CVE-2018-14659[4]:
| The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable
| to a denial of service attack via use of the
| 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker
| could exploit this by mounting a Gluster volume and repeatedly calling
| 'setxattr(2)' to trigger a state dump and create an arbitrary number
| of files in the server's runtime directory.

CVE-2018-14660[5]:
| A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2
| which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote,
| authenticated attacker could use this flaw to create multiple locks
| for single inode by using setxattr repetitively resulting in memory
| exhaustion of glusterfs server node.

CVE-2018-14661[6]:
| It was found that usage of snprintf function in feature/locks
| translator of glusterfs server 3.8.4, as shipped with Red Hat Gluster
| Storage, was vulnerable to a format string attack. A remote,
| authenticated attacker could use this flaw to cause remote denial of
| service.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-14651
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14651
[1] https://security-tracker.debian.org/tracker/CVE-2018-14652
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14652
[2] https://security-tracker.debian.org/tracker/CVE-2018-14653
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14653
[3] https://security-tracker.debian.org/tracker/CVE-2018-14654
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14654
[4] https://security-tracker.debian.org/tracker/CVE-2018-14659
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14659
[5] https://security-tracker.debian.org/tracker/CVE-2018-14660
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14660
[6] https://security-tracker.debian.org/tracker/CVE-2018-14661
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14661

Please adjust the affected versions in the BTS as needed.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Source: glusterfs
Source-Version: 5.1-1

We believe that the bug you reported is fixed in the latest version of
glusterfs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatth...@debian.org> (supplier of updated glusterfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 15 Nov 2018 11:10:47 +0100
Source: glusterfs
Binary: glusterfs-client glusterfs-server glusterfs-common
Architecture: source amd64
Version: 5.1-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatth...@debian.org>
Changed-By: Patrick Matthäi <pmatth...@debian.org>
Description:
 glusterfs-client - clustered file-system (client package)
 glusterfs-common - GlusterFS common libraries and translator modules
 glusterfs-server - clustered file-system (server package)
Closes: 912997
Changes:
 glusterfs (5.1-1) unstable; urgency=high
 .
   * New upstream release.
     - Several security vulnerabilities are fixed.
       Closes: #912997
     - This release fixes CVE-2018-14651: It was found that the fix for
       CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and
       CVE-2018-10926 was incomplete. A remote, authenticated attacker could use
       one of these flaws to execute arbitrary code, create arbitrary files, or
       cause denial of service on glusterfs server nodes via symlinks to
       relative paths.
     - This release fixes CVE-2018-14654: The Gluster file system through 
version
       4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote
       attacker with access to mount volumes could exploit this via the
       'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the
       target server.
     - This release fixes CVE-2018-14659: The Gluster file system through
       versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via
       use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated
       attacker could exploit this by mounting a Gluster volume and repeatedly
       calling 'setxattr(2)' to trigger a state dump and create an arbitrary
       number of files in the server's runtime directory.
     - This release fixes CVE-2018-14660: A flaw was found in glusterfs server
       through versions 4.1.4 and 3.1.2 which allowed repeated usage of
       GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this
       flaw to create multiple locks for single inode by using setxattr
       repetitively resulting in memory exhaustion of glusterfs server node.
     - This release fixes CVE-2018-14661: It was found that usage of snprintf
       function in feature/locks translator of glusterfs server 3.8.4, as
       shipped with Red Hat Gluster Storage, was vulnerable to a format string
       attack. A remote, authenticated attacker could use this flaw to cause
       remote denial of service.
     - This release fixes CVE-2018-14653: The Gluster file system through
       versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in
       the '__server_getspec' function via the 'gf_getspec_req' RPC message. A
       remote authenticated attacker could exploit this to cause a denial of
       service or other potential unspecified impact.
   * Modify patch 04-systemd-fixes to use /run directory instead of /var/run.
   * Adjust lintian overrides.
   * CVE-2012-5635 was fixed a long time ago.
Checksums-Sha1:
 9e1e25d77c11cda06bbb12a27aaa10f1ea38f0db 2162 glusterfs_5.1-1.dsc
 ba745c0016a839e7fdaefc4d08710862c5ba7858 7604907 glusterfs_5.1.orig.tar.gz
 a73d8ddc1cc8757614b41e69db5d5681c515c1af 17804 glusterfs_5.1-1.debian.tar.xz
 691bd09c53a50dcd5f27ab58a5ec263d2b2eb8e0 37636 
glusterfs-client-dbgsym_5.1-1_amd64.deb
 d2e10d3c45acf4571afed808184a820dd751f285 2475512 
glusterfs-client_5.1-1_amd64.deb
 558704b86aa776fe05c6eedea6765b2669171ee0 18467652 
glusterfs-common-dbgsym_5.1-1_amd64.deb
 85062a72f69b5cdf31c6255ff701d62d76f48be8 5820232 
glusterfs-common_5.1-1_amd64.deb
 75069a2299740ff944f0ceb25734a7c056f47ff5 722080 
glusterfs-server-dbgsym_5.1-1_amd64.deb
 1495ecbf83175fdbdfb5e46fde724a4abd7675c9 2648416 
glusterfs-server_5.1-1_amd64.deb
 801c1d9dc9ae0ca74ee3a678665f34fbf70abdff 11611 glusterfs_5.1-1_amd64.buildinfo
Checksums-Sha256:
 46c6fd1b3eb74aeb973cbfb9233a89b97eb872cd69825dac407e62311be3668b 2162 
glusterfs_5.1-1.dsc
 779d03cf50710043682b9c6f14ac4c7964a82d6423383b8e09ac86c9c6704f0e 7604907 
glusterfs_5.1.orig.tar.gz
 71ce4da55216869991e1cf0705cc9cc997de2f91efab9627e84a374e6a1883b2 17804 
glusterfs_5.1-1.debian.tar.xz
 575f58a9fe185c817a7ce2a9f4f0eb1ebbd58c518c953552c89f5c58412f541e 37636 
glusterfs-client-dbgsym_5.1-1_amd64.deb
 a212174c83ddc74373ea563e925610cc593b9ea983b2bb5779354706ba2ed611 2475512 
glusterfs-client_5.1-1_amd64.deb
 85ae963caa0eaa51cbb7d6ac1af04b21e01818545a6850e89c9f953170686123 18467652 
glusterfs-common-dbgsym_5.1-1_amd64.deb
 ffb8b1d5bd9ef4c092f9e65bac7ed0acebe63cb147970191000ace5bd58c868c 5820232 
glusterfs-common_5.1-1_amd64.deb
 43fe2e099e31a5b82cb57b2d20e702229ea1d4b6ad7e26371fdd28de1d6633c4 722080 
glusterfs-server-dbgsym_5.1-1_amd64.deb
 cad1d3d8947d08e7b96a0d0ef36063c1f1b828df513a95f37e9b60b28eda4c20 2648416 
glusterfs-server_5.1-1_amd64.deb
 59d8952bd45e73934971dcad3b105f7045c6363ecea8aa2c1650e206584cafe3 11611 
glusterfs_5.1-1_amd64.buildinfo
Files:
 fc585368d58ad7e64511d69e925a78e8 2162 admin optional glusterfs_5.1-1.dsc
 f0b61496a761cf6bf149e9613596fd0e 7604907 admin optional 
glusterfs_5.1.orig.tar.gz
 f3c8984393c08b243a9158b28a7d4da9 17804 admin optional 
glusterfs_5.1-1.debian.tar.xz
 6d973f3418d646c8c1d0dcf09c464f6b 37636 debug optional 
glusterfs-client-dbgsym_5.1-1_amd64.deb
 e350b933b412307390ba00688c1562c8 2475512 admin optional 
glusterfs-client_5.1-1_amd64.deb
 bc1db8d0fc2ac29d4193ccfbb860943d 18467652 debug optional 
glusterfs-common-dbgsym_5.1-1_amd64.deb
 c692be461fd0fbba09c58306eb6e5128 5820232 admin optional 
glusterfs-common_5.1-1_amd64.deb
 b2c54b6015af298db7bef73b12e591c9 722080 debug optional 
glusterfs-server-dbgsym_5.1-1_amd64.deb
 7446e11375012456f9b26782dedb7bdf 2648416 admin optional 
glusterfs-server_5.1-1_amd64.deb
 6b3d7ed929057ce611a205a08b172c28 11611 admin optional 
glusterfs_5.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAlvtSmgACgkQEtmwSpDL
2OSRSw//Yhv7sbcqPxdkyo2q2Ey2ZsxDozMyV6jlQqHEzLb2CEihzYRcMgmyHXom
HRPWs6OkLjkVSbQpUXveMKpfzekIX852UICtzZewY6zPCOXorqcWnNKY4mI0fDDB
z1PeK6khGZ3lPoWmt57p2hsxH1MQYLOrOzO3nj2Huxws6g0P2pOwUA2PbC7SQ/5F
VnQuaQ9Qq7dOPV3AvWJuX2n3OZwKzNdPaZG6mVHElWx8VEqmvLVk7o5IEjwg1alC
ju5/E/CK5Venip1xHAMHhvOgYc+Go2RBIMdoEGVX5JAghFxoG1yu1I4Kr/kOp8nu
5XqqgjQjD2/tdd4/JzzC6GdlHlx4RA4/FjCngVyiXBOZaCKynsCTFOLN8EjBuw3M
Pl5W7DAcwi0NvokS891ijp4NhjMq1CvdQn099EwVZusxa2QgfWhih+74ra1ofNv0
li6jHwF0Ixmjq8pgQvenUGwrZD4ieFqGF4b1YaE1sCb4qmiMWx+j7SPHG2dUJwvs
JVPnFxg0b47/5n8wCntDKv7lBCxum/pGU8QVT9p6dnJxhD0csefRNvrvpa8S6az5
4/qLUt3M12MqkY91Yzd2NyiXRnbTDVt1JANYJrs2l0CVAp3rzgX/1Ik9AXPSbh+X
UEulu7VLCvV3NWu4EF1zvamkNk38Psu7WMPOPr4w+SrwsaWxB28=
=8UmG
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to