[Gluster-devel] Heketi v5.0.1 security release available for download

Michael Adam obnox at samba.org
Mon Dec 18 17:10:29 UTC 2017


Heketi v5.0.1 is now available.


This release[1] fixes a flaw that was found in heketi API that
permits issuing of OS commands through specially crafted
requests, possibly leading to escalation of privileges. More
details can be obtained at CVE-2017-15103. [2]

If authentication is turned "on" in heketi configuration, the
flaw can be exploited only by those who possess authentication
key. In case you have a deployment without authentication set to
true, we recommend that you turn it on and also upgrade to
version with fix.


We thank Markus Krell of NTT Security for identifying
the vulnerability and notifying us about the it.

The fix was provided by Raghavendra Talur of Red Hat.


Note that previous versions of Heketi are discontinued
and users are strongly recommended to upgrade to Heketi 5.0.1.


Michael Adam on behalf of the Heketi team


[1] https://github.com/heketi/heketi/releases/tag/v5.0.1
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15103
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://lists.gluster.org/pipermail/gluster-devel/attachments/20171218/3c3598a8/attachment.sig>


More information about the Gluster-devel mailing list