ESB-2018.1807 - [RedHat] glusterfs: Increased privileges - Existing account 2018-06-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1807
                   Important: glusterfs security update
                               21 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           glusterfs
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
                   Red Hat Enterprise Linux Server 7
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10841  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:1954
   https://access.redhat.com/errata/RHSA-2018:1955

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running glusterfs check for an updated version of the software for 
         their operating system.
         
         This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: glusterfs security update
Advisory ID:       RHSA-2018:1954-01
Product:           Red Hat Gluster Storage
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:1954
Issue date:        2018-06-20
CVE Names:         CVE-2018-10841 
=====================================================================

1. Summary:

An update for glusterfs is now available for Native Client for Red Hat
Enterprise Linux 7 for Red Hat Storage and Red Hat Gluster Storage 3.3 for
Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Gluster Storage Server 3.3 on RHEL-7 - noarch, x86_64
Red Hat Storage Native Client for Red Hat Enterprise Linux 7 - noarch, x86_64

3. Description:

GlusterFS is a key building block of Red Hat Gluster Storage. It is based
on a stackable user-space design and can deliver exceptional performance
for diverse workloads. GlusterFS aggregates various storage servers over
network interconnections into one large, parallel network file system.

Security Fix:

* glusterfs: access trusted peer group via remote-host command
(CVE-2018-10841)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1582043 - CVE-2018-10841 glusterfs: access trusted peer group via remote-host command

6. Package List:

Red Hat Gluster Storage Server 3.3 on RHEL-7:

Source:
glusterfs-3.8.4-54.10.el7rhgs.src.rpm

noarch:
glusterfs-resource-agents-3.8.4-54.10.el7rhgs.noarch.rpm
python-gluster-3.8.4-54.10.el7rhgs.noarch.rpm

x86_64:
glusterfs-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-api-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-api-devel-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-cli-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-client-xlators-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-debuginfo-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-devel-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-events-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-fuse-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-ganesha-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-geo-replication-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-libs-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-rdma-3.8.4-54.10.el7rhgs.x86_64.rpm
glusterfs-server-3.8.4-54.10.el7rhgs.x86_64.rpm

Red Hat Storage Native Client for Red Hat Enterprise Linux 7:

Source:
glusterfs-3.8.4-54.10.el7.src.rpm

noarch:
python-gluster-3.8.4-54.10.el7.noarch.rpm

x86_64:
glusterfs-3.8.4-54.10.el7.x86_64.rpm
glusterfs-api-3.8.4-54.10.el7.x86_64.rpm
glusterfs-api-devel-3.8.4-54.10.el7.x86_64.rpm
glusterfs-cli-3.8.4-54.10.el7.x86_64.rpm
glusterfs-client-xlators-3.8.4-54.10.el7.x86_64.rpm
glusterfs-debuginfo-3.8.4-54.10.el7.x86_64.rpm
glusterfs-devel-3.8.4-54.10.el7.x86_64.rpm
glusterfs-fuse-3.8.4-54.10.el7.x86_64.rpm
glusterfs-libs-3.8.4-54.10.el7.x86_64.rpm
glusterfs-rdma-3.8.4-54.10.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-10841
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWyotY9zjgjWX9erEAQjToA//WxAlopmb6xP3AmZ3s1gVYFtnBaqe4Lre
Omm1gW8Y8tfJ115H6rsYFHlDm0LKsBccQFvaz6Zgz7rhZgKvg5bX9/KQb9H/buBY
gqHLmF5hArI5bNs//qEHAbXi/M3LV4YbBTKV0usXbAizp15IlFcMRpdaz+TwgvVi
uiHt2CNcgxMsVvspylP9o2DHsnnAi2nSYCCjtnH6uG0gf2hwsUBLPHNbt0duechG
kosWUnoR1EyFjLVzNCBFW1NIhx0vTxJhVVxlNhE8emCEz6qfJsSIKZBAqNq9Tepb
KrRrXRHyAFQRVIEk/0BW9eMQenzjxFhGhWiwSZltioWqdhxy9S5b1copziiu8C1j
R/KGWJ8xE6Xc7e666eNr414dg1jr0Yv3MEGG+tbbbVO8hwN4M4RgFf+Slv5wi3AN
OrPuXK94AZ89v1UMTMKgzpeSrIuT3MSOZEaJ42ueqD2VVdWnZ2ryu9IpasaXqunh
bB9w2IXN9FqgkdUJ5ziqmGBaRVMP65LAQBAYlfdp+1j8j6g2cw1zvUcuMAKBUUqI
l9ryxeh/9QGwDD+2GapgKsJkLAROI2/qESuu5MDNLuZlvWjRQJiePEn//tSSCtdL
XUaTsvCN2pqZw8yFRpDoGDz4TkRoV+nQ4mbnCODZH9dVVDl8NF8kHBH0gmleEpH9
Ealgq+MujhU=
=98Bi
- -----END PGP SIGNATURE-----

- -------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: glusterfs security update
Advisory ID:       RHSA-2018:1955-01
Product:           Red Hat Gluster Storage
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:1955
Issue date:        2018-06-20
CVE Names:         CVE-2018-10841 
=====================================================================

1. Summary:

An update for glusterfs is now available for Native Client for Red Hat
Enterprise Linux 6 for Red Hat Storage and Red Hat Gluster Storage 3.3 for
Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Gluster Storage Server 3.3 on RHEL-6 - noarch, x86_64
Red Hat Storage Native Client for Red Hat Enterprise Linux 6 - noarch, x86_64

3. Description:

GlusterFS is a key building block of Red Hat Gluster Storage. It is based
on a stackable user-space design and can deliver exceptional performance
for diverse workloads. GlusterFS aggregates various storage servers over
network interconnections into one large, parallel network file system.

Security Fix:

* glusterfs: access trusted peer group via remote-host command
(CVE-2018-10841)

For more details about the security issue(s), including the impact, a
CVSS score, and other related information, refer to the CVE page(s)
listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1582043 - CVE-2018-10841 glusterfs: access trusted peer group via remote-host command

6. Package List:

Red Hat Gluster Storage Server 3.3 on RHEL-6:

Source:
glusterfs-3.8.4-54.11.el6rhs.src.rpm

noarch:
python-gluster-3.8.4-54.11.el6rhs.noarch.rpm

x86_64:
glusterfs-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-api-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-api-devel-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-cli-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-client-xlators-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-debuginfo-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-devel-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-events-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-fuse-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-ganesha-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-geo-replication-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-libs-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-rdma-3.8.4-54.11.el6rhs.x86_64.rpm
glusterfs-server-3.8.4-54.11.el6rhs.x86_64.rpm

Red Hat Storage Native Client for Red Hat Enterprise Linux 6:

Source:
glusterfs-3.8.4-54.11.el6.src.rpm

noarch:
python-gluster-3.8.4-54.11.el6.noarch.rpm

x86_64:
glusterfs-3.8.4-54.11.el6.x86_64.rpm
glusterfs-api-3.8.4-54.11.el6.x86_64.rpm
glusterfs-api-devel-3.8.4-54.11.el6.x86_64.rpm
glusterfs-cli-3.8.4-54.11.el6.x86_64.rpm
glusterfs-client-xlators-3.8.4-54.11.el6.x86_64.rpm
glusterfs-debuginfo-3.8.4-54.11.el6.x86_64.rpm
glusterfs-devel-3.8.4-54.11.el6.x86_64.rpm
glusterfs-fuse-3.8.4-54.11.el6.x86_64.rpm
glusterfs-libs-3.8.4-54.11.el6.x86_64.rpm
glusterfs-rdma-3.8.4-54.11.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-10841
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWyos7NzjgjWX9erEAQjSmQ//Qe92hlYel6MZXq3KoSGF5UxPaE6Jl4ok
665vtt4Lw/MRT0vYWQubLi2PIy6hTh8vuB1tSW83eXlfvGOYewkQrrELXny3x27c
7HeSXfWyiKGdV0GIdvzitxm9aITKsuHZ+4UKAC80v49FCP3SHinM0vMbIAgnATVv
/hMrO+rKwJoTHg2rIcril7MR9aWRU8LiFeJkFcZ3Wz4RJGNZeOpSChZYzVa4tERK
628m0++kpHAMoQ14Q9eeRnOqmIwlaFv9bHr5R0p8/nyAAXjMNSg7Vl2mx911+om8
DRjKFjsKUfta1ZHXZQWpDkgstBSoggIQxskBkukXa4I9MgaDyjj3vpUxEbPLMVD+
XsdlpUFpoqLXTWjFYBuSGDIeeCF8WhKCKumHsH1R9px2FPQ6N3uY5s4u5TCXQjEQ
tlQGLaFtE8lnmWa5eyOQ/VK9bD8LeaiaTd3g2VHMn3DbqJoksTMtbJ8sOnfIKA7m
FGA/DU+LE1XcKIXK3/JTV5oO9dQoV4EeY2D4J+uimd1HHt6hJzpXv0Ps/8VBq2q/
c+69yUxyOymW1pY4iWj/BejhipvKWRHdoUgTNjvK7kNrvvt4Hxvsxzg/EW7rArEs
yHU460Oh9nNCvAN2UI697LSTX9zj1qyYdrnW/hYcFM26aFSGyb+U3reT9CghOWZu
BXi4sTxX78s=
=3GKa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWyrvTWaOgq3Tt24GAQjb8Q/+PX5jRcq7rU9t8iWVgR1ctva2KZj+7BHV
nURctgqaIYIMyWmuA2giaZY7p/5VMfZG7uxgNJ6rxLflwqjblJEwsED4/r7MrKSA
eHWuJNPw2iFxHna8nIMYP9w6/2qovQB3nip0DwGi6K67DIITCnC9dHHtRLgNKQ5p
FOn9vi5kEuhUR4WPjWymflS8gpGoQK9/YQ/y/A3nUbDcSR+6HWYozuaCNk/dgseG
ldRtzw03gMEc2T6dU8A8029rEc9b49uylj9nJWKU0ggaN/IYsxoe2uOHszxNU698
vEr4beR2yiIOrjcJxleEiJc7uwoe5Gaya7BdsoQyyFFMbY52Lco/P3bTHPIiCjHq
lud++AfEgopLv4hFurYRAvEjklz2R/NmxniqFz3R50hNeM+8XIdJfGa+5htYJy/4
kyVQAeU845qMkwRGwbTSz+t7JpHezyHiGa+mDZdeGb1HnOvnbDpJ77wOIIX77TWK
pGjYBJSamF9aRa8yJN4VTdMrdUg5azX79bd3tfDNbFvn+YW6y7ZK1Ho4YJm5uwP7
Fi70rWXPicQAF/OFZQ03kn8EilzskUH1mYb6sf/398UHAQvSxAcr4dDfxGhq4S82
krvf2sbjcHzHZ1rJ2RGqswNGTYrphcDmQQBzZZ6S13JlqbZulldYfmw8Z47TgFLv
Wpd6WioTRRY=
=u0lF
-----END PGP SIGNATURE-----

« Back to bulletins