Debian Package Tracker

From: Markus Koschany <apo@debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted glusterfs 3.5.2-2+deb8u5 (source amd64) into oldstable
Date: Mon, 05 Nov 2018 16:40:28 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 03 Nov 2018 16:44:26 +0100
Source: glusterfs
Binary: glusterfs-client glusterfs-server glusterfs-common glusterfs-dbg
Architecture: source amd64
Version: 3.5.2-2+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 glusterfs-client - clustered file-system (client package)
 glusterfs-common - GlusterFS common libraries and translator modules
 glusterfs-dbg - GlusterFS debugging symbols
 glusterfs-server - clustered file-system (server package)
Changes:
 glusterfs (3.5.2-2+deb8u5) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2018-14651:
     It was found that the fix for CVE-2018-10927, CVE-2018-10928,
     CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A
     remote, authenticated attacker could use one of these flaws to execute
     arbitrary code, create arbitrary files, or cause denial of service on
     glusterfs server nodes via symlinks to relative paths.
   * Fix CVE-2018-14652:
     The Gluster file system is vulnerable to a buffer overflow in the
     'features/index' translator via the code handling the 'GF_XATTR_CLRLK_CMD'
     xattr in the 'pl_getxattr' function. A remote authenticated attacker could
     exploit this on a mounted volume to cause a denial of service.
   * Fix CVE-2018-14653:
     The Gluster file system is vulnerable to a heap-based buffer overflow in
     the '__server_getspec' function via the 'gf_getspec_req' RPC message. A
     remote authenticated attacker could exploit this to cause a denial of
     service or other potential unspecified impact.
   * Fix CVE-2018-14659:
     The Gluster file system is vulnerable to a denial of service attack via use
     of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker
     could exploit this by mounting a Gluster volume and repeatedly calling
     'setxattr(2)' to trigger a state dump and create an arbitrary number of
     files in the server's runtime directory.
   * Fix CVE-2018-14661:
     It was found that usage of snprintf function in feature/locks translator of
     glusterfs server, as shipped with Red Hat Gluster Storage, was vulnerable
     to a format string attack. A remote, authenticated attacker could use this
     flaw to cause remote denial of service.
Checksums-Sha1:
 7489d08a300513ee04c6df8f399e3890f5688569 2374 glusterfs_3.5.2-2+deb8u5.dsc
 d9dba84684bc2c35c9063409f288bddd61589dc1 29428 glusterfs_3.5.2-2+deb8u5.debian.tar.xz
 66bd6bc4c4e6afe396751b90890d147209f224b1 1914310 glusterfs-client_3.5.2-2+deb8u5_amd64.deb
 44c9200645897233babde2cf3086d3b3f535bb20 1997338 glusterfs-server_3.5.2-2+deb8u5_amd64.deb
 510c078e52800dcf2773519795365e12073e0a2e 3829596 glusterfs-common_3.5.2-2+deb8u5_amd64.deb
 8651c1aa5eb5abed30123fb55d0225cef34982e4 8625462 glusterfs-dbg_3.5.2-2+deb8u5_amd64.deb
Checksums-Sha256:
 3bad437345a1124b61a657e5ed0e8dde5b3271549db583dda9d3e2cb5b0626f4 2374 glusterfs_3.5.2-2+deb8u5.dsc
 37952e076f1417e723c4743e34e516cf6ea8da8c5eeb4b23b3c25d93d8e03548 29428 glusterfs_3.5.2-2+deb8u5.debian.tar.xz
 b9f5e0999eafad83edcf7cd719e0978bc9f73e51463b532149a8bc413ffa0562 1914310 glusterfs-client_3.5.2-2+deb8u5_amd64.deb
 1de125aea7eb71968167cb8e0bf311ab5e6457ed9b3f4edf2d9453b1b59d6ee7 1997338 glusterfs-server_3.5.2-2+deb8u5_amd64.deb
 24a15dad53230f1502e504329531fa9d9f62d25499de65b2af700ba5e2645560 3829596 glusterfs-common_3.5.2-2+deb8u5_amd64.deb
 5d8d400051c31e883654509f30181221c1f425c572799f7fc06fd00be99400e5 8625462 glusterfs-dbg_3.5.2-2+deb8u5_amd64.deb
Files:
 c627594b095e5b6c318f740a074b14eb 2374 admin optional glusterfs_3.5.2-2+deb8u5.dsc
 0aed52ee7957f7cdd9ba5e2a167b63e4 29428 admin optional glusterfs_3.5.2-2+deb8u5.debian.tar.xz
 55bcbb0eb1a7051f0b38cf1251f5e94f 1914310 admin optional glusterfs-client_3.5.2-2+deb8u5_amd64.deb
 87e2dda6dee5df6a4f52705d1fbc22b0 1997338 admin optional glusterfs-server_3.5.2-2+deb8u5_amd64.deb
 17959a0b46e19f8dd4b0bdba38180fd4 3829596 libs optional glusterfs-common_3.5.2-2+deb8u5_amd64.deb
 3444dbfdf2d8fe724389e622d0e3a4fb 8625462 debug extra glusterfs-dbg_3.5.2-2+deb8u5_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlvgb5NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk80cQANICLx0v3Fkk2acOBWS+jBrgPxJkiBdrX1fu
k7ABBzCq6oXp8ja+1b2P1qR4jMn3e3NZErgAdd5a5dMUr6Rd8CT+VDNKBn03JWLj
GRQI3sE0ZgDrdFydf+9KxX6KCBMhYR5LzbeH7UdaskHnB+JDrumOgIVt4JvTI5TB
m0KZa7mPbnZ9rKnq2XeNUtxOYZufr/r/KTq05xV9ADDv9nRRESUI4udgBui2pa/k
e/6zmb0RAZWHWxsqeOj4tXhMxgE/1tAka+wa/ft5UBbbrGns7reCOeIu+N11xTVr
xIVevRrzTo0dAJyz3UOD7YpDxhpfHv91mjB66hcRFO7tvpHAS92yudLM6LFMeQSA
m7wwHO1SwqGsQtvdY65eCUNiimLKv8jZdZHvr4KlEq/2quvqDo0+Tzs+tJmIUn6V
rYESYD5kKqoi2iGmWGJ7WLyBPYSXHwMogAtmUYIpRb2mOb02P2L7UWcBxYrWgpQ3
6YwQSlGoWAc/xAHvwT6oBS5UJXTJoUV2eSHwhr7moiV+En90k1y5Au6hWg97ae4/
+jDzhLn5Cy0zsNV0HUTjhwqtgMeX6ur98Z0O/wZmCUd0qV29MfSNLk5c4l2Z6DRJ
nJpXbOYIjO47HFqYUv9VGLlaJlQYeZDE6jlhPb8uQPuUJI9ZuCgNIorTbiqKLOYY
V44LtSuL
=bQSZ
-----END PGP SIGNATURE-----
News for package glusterfs
