From ${URL} : setuid() sets the effective user ID of the calling process. If the effective UID of the caller is root, the real UID and saved set-user-ID are also set. On success, zero is returned. On error, -1 is returned, and errno is set appropriately. Note: there are cases where setuid() can fail even when the caller is UID 0; it is a grave security error to omit checking for a failure return from setuid(). if an environment limits the number of processes a user can have, setuid() might fail if the target uid already is at the limit. Can we have CVE assigned to this ? Upstream Ref: http://review.gluster.org/#/c/10780/ https://github.com/gluster/glusterfs/commit/b5ceb1a9de9af563b0f91e2a3138fa5a95cad9f6 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
updated dependencies, if you agree to proceed with 3.5.4 stabilization ?
GLSA Vote: No No longer in tree, all cleaned.