[heketi-devel] Heketi v10.1.0 available for download
John Mulligan
phlogistonjohn at asynchrono.us
Wed Sep 30 15:00:53 UTC 2020
This is a security and bugfix release. This is the new stable version of
Heketi [0].
An information-disclosure flaw was found in the way Heketi logs sensitive
information. This flaw allows an attacker with access to the Heketi server
logs to read potentially sensitive information, such as the CHAP passwords for
gluster-block volumes (CVE-2020-10763).
Administrators may want to check old logs for gluster-block passwords if they
created block volumes with CHAP authentication enabled. Restrict access or
remove old logs that retain the passwords.
Thanks to Prasanna Kumar Kalever of Red Hat for finding and fixing this issue.
# Changelog
* Fix CVE-2020-10763
* Fix an issue removing/replacing devices on unrecoverable failed nodes
* Add a flag to skip a gluster heal check when gluster can not report on
heals (when a node has failed or unable to perform the required action).
[0] - https://github.com/heketi/heketi/releases/tag/v10.1.0
-- John M. on behalf of the Heketi team
More information about the heketi-devel
mailing list