A flaw was found in glusterfs which can lead to privilege escalation on
gluster server nodes.
It was found that any gluster client authenticated via TLS could use
gluster cli with --remote-host command to add itself to gluster trusted
pool and perform all gluster operations like peer probe itself or other
machines, start, stop, delete volumes etc.
Gentoo Security Scout
Upstream patch: http://git.gluster.org/cgit/glusterfs.git/commit/?id=e8d928e34680079e42be6947ffacc4ddd7defca2
Maintainers, please confirm.
Upstream released 4.1.8... 22 hours ago and the patch is in that release.
The bug has been referenced in the following commit(s):
Author: Aaron Bauman <email@example.com>
AuthorDate: 2019-03-28 20:40:20 +0000
Commit: Aaron Bauman <firstname.lastname@example.org>
CommitDate: 2019-03-28 20:43:19 +0000
sys-cluster/glusterfs: bup to fix outstanding security issues
* This bump addresses multiple CVEs that have been fixed upstream
Signed-off-by: Aaron Bauman <email@example.com>
sys-cluster/glusterfs/Manifest | 1 +
sys-cluster/glusterfs/glusterfs-4.1.8.ebuild | 226 +++++++++++++++++++++++++++
2 files changed, 227 insertions(+)
This issue was resolved and addressed in
GLSA 201904-06 at https://security.gentoo.org/glsa/201904-06
by GLSA coordinator Aaron Bauman (b-man).