[Gluster-users] Updated Gluster Releases
Amye Scavarda
amye at redhat.com
Fri Jul 6 19:14:49 UTC 2018
*The Gluster community has released an out-of-normal-cadence release for
Gluster 3.12, and 4.1 that resolves a CVE[1]. A privilege escalation flaw
was found.Glusterfs is vulnerable to privilege escalation on gluster server
nodes. An authenticated gluster client via TLS could use gluster cli with
--remote-host command to add it self to trusted storage pool and perform
privileged gluster operations like adding other machines to trusted storage
pool, start, stop, and delete volumes. Installing the updated packages and
restarting gluster services on gluster brick hosts, will help prevent the
security issue. Further information can be found at NVD[2].Our
recommendation is to upgrade to these new releases:
https://download.gluster.org/pub/gluster/glusterfs/3.12/3.12.11/
<https://download.gluster.org/pub/gluster/glusterfs/3.12/3.12.9/>https://download.gluster.org/pub/gluster/glusterfs/4.0/4.1.1/
<https://download.gluster.org/pub/gluster/glusterfs/4.0/4.0.2/> [1]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10841
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10841> [2]
https://nvd.nist.gov/vuln/detail/CVE-2018-10841
<https://nvd.nist.gov/vuln/detail/CVE-2018-10841> *
--
Amye Scavarda | amye at redhat.com | Gluster Community Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20180706/3ed4ce7c/attachment.html>
More information about the Gluster-users
mailing list