[SECURITY] [DLA 1510-1] glusterfs security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1510-1] glusterfs security update
From: Markus Koschany <apo@debian.org>
Date: Thu, 20 Sep 2018 12:16:27 +0200
Message-id: <[🔎] cc85e963-e6c8-04af-3466-493711d533bb@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : glusterfs
Version        : 3.5.2-2+deb8u4
CVE ID         : CVE-2018-10904 CVE-2018-10907 CVE-2018-10911
                 CVE-2018-10913 CVE-2018-10914 CVE-2018-10923
                 CVE-2018-10926 CVE-2018-10927 CVE-2018-10928
                 CVE-2018-10929 CVE-2018-10930
Debian Bug     : 909215

Multiple security vulnerabilities were discovered in GlusterFS, a
clustered file system. Buffer overflows and path traversal issues may
lead to information disclosure, denial-of-service or the execution of
arbitrary code.

To resolve the security vulnerabilities the following limitations were
made in GlusterFS:

    - open,read,write on special files like char and block are no longer
      permitted
    - io-stat xlator can dump stat info only to /run/gluster directory

For Debian 8 "Jessie", these problems have been fixed in version
3.5.2-2+deb8u4.

We recommend that you upgrade your glusterfs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlujc3tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQV2g/+PpyqAuh1WGBPWUIuNDnxktYjQTxCTNdvbdZUpoPkZ/m/Sz81itgQVieh
6OGvgaOOKCHeD7JGLfFZnoBxsIQU69Qx8U/ma6mDzaHGvVSqafg/nF1+WBEQhk4S
3nwgt5RmIP6oYet7OTDmjlfCSS0JkbatzOGiV1xZLj//gsVqFayAX5E8OM5XjmCt
xqK9YTykniigDz2pGO4ECBb1Ayc+lHAGOtC9wM8Fh620scG94x0EmRJTy0Lr681S
3SqdkepbuFBEqbgVtIeIpVpnRP/FRSe5OvYMHoE+2VegMN1hHCcplXRb2HohoKo2
tEBzutfFoZh4lqS0wq3vntgajZSWybF5YIE1I0jeTl5v1Blhdax3vVYP95Ri4y1S
++tExy3OqP1CpAl+HHaGhnbAHA3Lq5Q662bK1ju3pqvjPT4+GdI7Y8yg3tUP9Dnj
8QfAqDFoEWw3cb6rcX7PdIltfRz55tZKbLKMy2Jh422YE0/O67z7it5cJOGXDaDw
C9cR9gaP66KXZ6OlkOrZuGP6M/KnyQo2CYfl7BxYpoaMVDlYNaUYFLFbgx7Z3wjk
IQvKr0GB9iJ3LqBDh5yWzXEm4heUk6StdIg4+eOqIyAPLa0gS/kxe1lrX/f8nany
aRMAQGOSJqZlyTZVqFfUnJrPoMZtEAmXCUoO380Ki2abAmuqzNA=
=+vuL
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1509-1] php5 security update
Next by Date: [SECURITY] [DLA 1511-1] reportbug update
Previous by thread: [SECURITY] [DLA 1509-1] php5 security update
Next by thread: [SECURITY] [DLA 1511-1] reportbug update
Index(es):
- Date
- Thread