Incoming details.
I'm not sure but if this only affected 3.x then I think we're good now.
When certain options are enabled in Gluster, it creates a volume called gluster_shared_storage. This volume is mounted on each server in the cluster and used to share state. The volume is not intended to be mounted by storage clients as it does not contain any data that is intended to be user accessible. When snapshot scheduling is enabled in Gluster, this gluster_shared_storage volume is used to coordinate the snapshots. Part of that is sharing the cron job that is used to trigger scheduled snaps. The crontab file exposed in the shared volume is symlinked into each server's /etc/cron.d directory. By default, the shared_storage volume can be mounted by any client that has access to the cluster to mount data volumes. Further, since Gluster relies on client-reported uids, the shared_storage volume can be written from any of these clients, permitting cron entries to be added to the system crontab directory such that they will be executed by each server as root (or any other uid). Snapshot scheduler is disabled by default after initialization. https://review.gluster.org/#/c/19899/ https://review.gluster.org/#/c/19898/ When fixing the issue it's important to not apply the incomplete fix and open CVE-2018-1112 causing that auth.allow allows all clients to mount volumes. Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1570891 Needs: https://review.gluster.org/#/c/19899/1..2
*** Bug 655546 has been marked as a duplicate of this bug. ***
@arches, please stabilize. targeting 4.1.5
amd64 stable
ppc stable
ppc64 stable
x86 stable
Seems like that by accident 4.0.2 got stabilized on amd64 while the rest stabilized 4.1.5.
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Maintainer(s), please drop the vulnerable version(s): 4.0.2, 4.0.0-r1 New GLSA Request filed.
This issue was resolved and addressed in GLSA 201904-06 at https://security.gentoo.org/glsa/201904-06 by GLSA coordinator Aaron Bauman (b-man).
Reopening for cleanup. Maintainer(s), please drop the vulnerable version(s).
(In reply to Yury German from comment #13) > Reopening for cleanup. > Maintainer(s), please drop the vulnerable version(s). Cleanup will happen in bug #670088 after final stables...