Summary: | <sys-cluster/glusterfs-3.5.3: The memories are exhausted quickly when handle the message which has multi fragments in a single record (CVE-2014-3619) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cardoe, cluster |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1136221 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: |
=sys-cluster/glusterfs-3.6.5
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 444098, 484016, 558422 |
Description
Agostino Sarubbo
2015-02-27 17:05:30 UTC
Ok ago, I dropped all 3.4 versions from tree and bumped 3.5.3 which is not vulnerable. +*glusterfs-3.5.3 (23 Mar 2015) + + 23 Mar 2015; Ultrabug <ultrabug@gentoo.org> -glusterfs-3.3.0.ebuild, + -glusterfs-3.4.2-r1.ebuild, -glusterfs-3.4.4.ebuild, + -glusterfs-3.4.4-r2.ebuild, -glusterfs-3.5.1.ebuild, -glusterfs-3.5.2.ebuild, + +glusterfs-3.5.3.ebuild, +files/glusterd-r2.initd: + version bump, drop old and vulnerable wrt #541540, fix #536606 thx to Jaco + Kroon, fix #529676 thx to Christian Affolter + CVE-2014-3619 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3619): The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header. @ Arches, please test and mark stable: =sys-cluster/glusterfs-3.6.5 amd64 stable x86 stable *** Bug 484016 has been marked as a duplicate of this bug. *** ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. GLSA Vote: No @ Maintainer(s): Please cleanup and drop =sys-cluster/glusterfs-3.1.2! Cleanup done All done, repository is clean. |