-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 15 Nov 2018 11:10:47 +0100 Source: glusterfs Binary: glusterfs-client glusterfs-server glusterfs-common Architecture: source amd64 Version: 5.1-1 Distribution: unstable Urgency: high Maintainer: Patrick Matthäi <pmatthaei@debian.org> Changed-By: Patrick Matthäi <pmatthaei@debian.org> Description: glusterfs-client - clustered file-system (client package) glusterfs-common - GlusterFS common libraries and translator modules glusterfs-server - clustered file-system (server package) Closes: 912997 Changes: glusterfs (5.1-1) unstable; urgency=high . * New upstream release. - Several security vulnerabilities are fixed. Closes: #912997 - This release fixes CVE-2018-14651: It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths. - This release fixes CVE-2018-14654: The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote attacker with access to mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the target server. - This release fixes CVE-2018-14659: The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr(2)' to trigger a state dump and create an arbitrary number of files in the server's runtime directory. - This release fixes CVE-2018-14660: A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node. - This release fixes CVE-2018-14661: It was found that usage of snprintf function in feature/locks translator of glusterfs server 3.8.4, as shipped with Red Hat Gluster Storage, was vulnerable to a format string attack. A remote, authenticated attacker could use this flaw to cause remote denial of service. - This release fixes CVE-2018-14653: The Gluster file system through versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in the '__server_getspec' function via the 'gf_getspec_req' RPC message. A remote authenticated attacker could exploit this to cause a denial of service or other potential unspecified impact. * Modify patch 04-systemd-fixes to use /run directory instead of /var/run. * Adjust lintian overrides. * CVE-2012-5635 was fixed a long time ago. Checksums-Sha1: 9e1e25d77c11cda06bbb12a27aaa10f1ea38f0db 2162 glusterfs_5.1-1.dsc ba745c0016a839e7fdaefc4d08710862c5ba7858 7604907 glusterfs_5.1.orig.tar.gz a73d8ddc1cc8757614b41e69db5d5681c515c1af 17804 glusterfs_5.1-1.debian.tar.xz 691bd09c53a50dcd5f27ab58a5ec263d2b2eb8e0 37636 glusterfs-client-dbgsym_5.1-1_amd64.deb d2e10d3c45acf4571afed808184a820dd751f285 2475512 glusterfs-client_5.1-1_amd64.deb 558704b86aa776fe05c6eedea6765b2669171ee0 18467652 glusterfs-common-dbgsym_5.1-1_amd64.deb 85062a72f69b5cdf31c6255ff701d62d76f48be8 5820232 glusterfs-common_5.1-1_amd64.deb 75069a2299740ff944f0ceb25734a7c056f47ff5 722080 glusterfs-server-dbgsym_5.1-1_amd64.deb 1495ecbf83175fdbdfb5e46fde724a4abd7675c9 2648416 glusterfs-server_5.1-1_amd64.deb 801c1d9dc9ae0ca74ee3a678665f34fbf70abdff 11611 glusterfs_5.1-1_amd64.buildinfo Checksums-Sha256: 46c6fd1b3eb74aeb973cbfb9233a89b97eb872cd69825dac407e62311be3668b 2162 glusterfs_5.1-1.dsc 779d03cf50710043682b9c6f14ac4c7964a82d6423383b8e09ac86c9c6704f0e 7604907 glusterfs_5.1.orig.tar.gz 71ce4da55216869991e1cf0705cc9cc997de2f91efab9627e84a374e6a1883b2 17804 glusterfs_5.1-1.debian.tar.xz 575f58a9fe185c817a7ce2a9f4f0eb1ebbd58c518c953552c89f5c58412f541e 37636 glusterfs-client-dbgsym_5.1-1_amd64.deb a212174c83ddc74373ea563e925610cc593b9ea983b2bb5779354706ba2ed611 2475512 glusterfs-client_5.1-1_amd64.deb 85ae963caa0eaa51cbb7d6ac1af04b21e01818545a6850e89c9f953170686123 18467652 glusterfs-common-dbgsym_5.1-1_amd64.deb ffb8b1d5bd9ef4c092f9e65bac7ed0acebe63cb147970191000ace5bd58c868c 5820232 glusterfs-common_5.1-1_amd64.deb 43fe2e099e31a5b82cb57b2d20e702229ea1d4b6ad7e26371fdd28de1d6633c4 722080 glusterfs-server-dbgsym_5.1-1_amd64.deb cad1d3d8947d08e7b96a0d0ef36063c1f1b828df513a95f37e9b60b28eda4c20 2648416 glusterfs-server_5.1-1_amd64.deb 59d8952bd45e73934971dcad3b105f7045c6363ecea8aa2c1650e206584cafe3 11611 glusterfs_5.1-1_amd64.buildinfo Files: fc585368d58ad7e64511d69e925a78e8 2162 admin optional glusterfs_5.1-1.dsc f0b61496a761cf6bf149e9613596fd0e 7604907 admin optional glusterfs_5.1.orig.tar.gz f3c8984393c08b243a9158b28a7d4da9 17804 admin optional glusterfs_5.1-1.debian.tar.xz 6d973f3418d646c8c1d0dcf09c464f6b 37636 debug optional glusterfs-client-dbgsym_5.1-1_amd64.deb e350b933b412307390ba00688c1562c8 2475512 admin optional glusterfs-client_5.1-1_amd64.deb bc1db8d0fc2ac29d4193ccfbb860943d 18467652 debug optional glusterfs-common-dbgsym_5.1-1_amd64.deb c692be461fd0fbba09c58306eb6e5128 5820232 admin optional glusterfs-common_5.1-1_amd64.deb b2c54b6015af298db7bef73b12e591c9 722080 debug optional glusterfs-server-dbgsym_5.1-1_amd64.deb 7446e11375012456f9b26782dedb7bdf 2648416 admin optional glusterfs-server_5.1-1_amd64.deb 6b3d7ed929057ce611a205a08b172c28 11611 admin optional glusterfs_5.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAlvtSmgACgkQEtmwSpDL 2OSRSw//Yhv7sbcqPxdkyo2q2Ey2ZsxDozMyV6jlQqHEzLb2CEihzYRcMgmyHXom HRPWs6OkLjkVSbQpUXveMKpfzekIX852UICtzZewY6zPCOXorqcWnNKY4mI0fDDB z1PeK6khGZ3lPoWmt57p2hsxH1MQYLOrOzO3nj2Huxws6g0P2pOwUA2PbC7SQ/5F VnQuaQ9Qq7dOPV3AvWJuX2n3OZwKzNdPaZG6mVHElWx8VEqmvLVk7o5IEjwg1alC ju5/E/CK5Venip1xHAMHhvOgYc+Go2RBIMdoEGVX5JAghFxoG1yu1I4Kr/kOp8nu 5XqqgjQjD2/tdd4/JzzC6GdlHlx4RA4/FjCngVyiXBOZaCKynsCTFOLN8EjBuw3M Pl5W7DAcwi0NvokS891ijp4NhjMq1CvdQn099EwVZusxa2QgfWhih+74ra1ofNv0 li6jHwF0Ixmjq8pgQvenUGwrZD4ieFqGF4b1YaE1sCb4qmiMWx+j7SPHG2dUJwvs JVPnFxg0b47/5n8wCntDKv7lBCxum/pGU8QVT9p6dnJxhD0csefRNvrvpa8S6az5 4/qLUt3M12MqkY91Yzd2NyiXRnbTDVt1JANYJrs2l0CVAp3rzgX/1Ik9AXPSbh+X UEulu7VLCvV3NWu4EF1zvamkNk38Psu7WMPOPr4w+SrwsaWxB28= =8UmG -----END PGP SIGNATURE-----