From phlogistonjohn at asynchrono.us Wed Sep 30 15:00:53 2020 From: phlogistonjohn at asynchrono.us (John Mulligan) Date: Wed, 30 Sep 2020 11:00:53 -0400 Subject: [heketi-devel] Heketi v10.1.0 available for download Message-ID: <3763841.qEYmdimspn@edfu> This is a security and bugfix release. This is the new stable version of Heketi [0]. An information-disclosure flaw was found in the way Heketi logs sensitive information. This flaw allows an attacker with access to the Heketi server logs to read potentially sensitive information, such as the CHAP passwords for gluster-block volumes (CVE-2020-10763). Administrators may want to check old logs for gluster-block passwords if they created block volumes with CHAP authentication enabled. Restrict access or remove old logs that retain the passwords. Thanks to Prasanna Kumar Kalever of Red Hat for finding and fixing this issue. # Changelog * Fix CVE-2020-10763 * Fix an issue removing/replacing devices on unrecoverable failed nodes * Add a flag to skip a gluster heal check when gluster can not report on heals (when a node has failed or unable to perform the required action). [0] - https://github.com/heketi/heketi/releases/tag/v10.1.0 -- John M. on behalf of the Heketi team