[heketi-devel] Heketi v10.1.0 available for download

John Mulligan phlogistonjohn at asynchrono.us
Wed Sep 30 15:00:53 UTC 2020

This is a security and bugfix release. This is the new stable version of 
Heketi [0].

An information-disclosure flaw was found in the way Heketi logs sensitive
information. This flaw allows an attacker with access to the Heketi server 
logs to read potentially sensitive information, such as the CHAP passwords for
gluster-block volumes (CVE-2020-10763).

Administrators may want to check old logs for gluster-block passwords if they
created block volumes with CHAP authentication enabled. Restrict access or
remove old logs that retain the passwords.

Thanks to Prasanna Kumar Kalever of Red Hat for finding and fixing this issue.

# Changelog

 * Fix CVE-2020-10763
 * Fix an issue removing/replacing devices on unrecoverable failed nodes
 * Add a flag to skip a gluster heal check when gluster can not report on 
heals (when a node has failed or unable to perform the required action).

[0] - https://github.com/heketi/heketi/releases/tag/v10.1.0

-- John M. on behalf of the Heketi team

More information about the heketi-devel mailing list