[Gluster-users] [heketi-devel] Heketi v5.0.1 security release available for download

[Niels de Vos]

On Mon, Dec 18, 2017 at 06:10:29PM +0100, Michael Adam wrote:
> 
> Heketi v5.0.1 is now available.

Packages for the CentOS Storage SIG are now becomnig available in the
testing repository. Packages can be obtained (soon) with the following
steps:

  # yum --enablerepo=centos-gluster*-test update heketi

The update will show up for systems that have the repository files from
the centos-release-gluster{310,312,313} packages. Other repositories
will not receive any updates anymore.

I'd appreciate it if someone could do basic testing of the update. When
some feedback is provided, the package can be marked for release to the
CentOS mirrors.

Niels


> This release[1] fixes a flaw that was found in heketi API that
> permits issuing of OS commands through specially crafted
> requests, possibly leading to escalation of privileges. More
> details can be obtained at CVE-2017-15103. [2]
> 
> If authentication is turned "on" in heketi configuration, the
> flaw can be exploited only by those who possess authentication
> key. In case you have a deployment without authentication set to
> true, we recommend that you turn it on and also upgrade to
> version with fix.
> 
> 
> We thank Markus Krell of NTT Security for identifying
> the vulnerability and notifying us about the it.
> 
> The fix was provided by Raghavendra Talur of Red Hat.
> 
> 
> Note that previous versions of Heketi are discontinued
> and users are strongly recommended to upgrade to Heketi 5.0.1.
> 
> 
> Michael Adam on behalf of the Heketi team
> 
> 
> [1] https://github.com/heketi/heketi/releases/tag/v5.0.1
> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15103



> _______________________________________________
> heketi-devel mailing list
> heketi-devel at gluster.org
> http://lists.gluster.org/mailman/listinfo/heketi-devel