Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658606 (CVE-2018-10841) - <sys-cluster/glusterfs-4.1.8: access trusted peer group via remote-host command (CVE-2018-10841)
Summary: <sys-cluster/glusterfs-4.1.8: access trusted peer group via remote-host comma...
Alias: CVE-2018-10841
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+ cve]
Depends on: CVE-2018-14651, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661
  Show dependency tree
Reported: 2018-06-20 19:49 UTC by Florian Schuhmacher
Modified: 2019-04-02 04:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-20 19:49:04 UTC
A flaw was found in glusterfs which can lead to privilege escalation on 
gluster server nodes.

It was found that any gluster client authenticated via TLS could use
gluster cli with --remote-host command to add itself to gluster trusted 
pool and perform all gluster operations like peer probe itself or other 
machines, start, stop, delete volumes etc.

Gentoo Security Scout
Florian Schuhmacher
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-06-22 11:05:44 UTC
Upstream patch:
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-03-24 13:09:33 UTC
Maintainers, please confirm.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-03-28 20:19:36 UTC
Upstream released 4.1.8... 22 hours ago and the patch is in that release.
Comment 4 Larry the Git Cow gentoo-dev 2019-03-28 20:43:32 UTC
The bug has been referenced in the following commit(s):

commit 7ad0e566365b914c27b06a36e7a26209c957511c
Author:     Aaron Bauman <>
AuthorDate: 2019-03-28 20:40:20 +0000
Commit:     Aaron Bauman <>
CommitDate: 2019-03-28 20:43:19 +0000

    sys-cluster/glusterfs: bup to fix outstanding security issues
    * This bump addresses multiple CVEs that have been fixed upstream
    Signed-off-by: Aaron Bauman <>

 sys-cluster/glusterfs/Manifest               |   1 +
 sys-cluster/glusterfs/glusterfs-4.1.8.ebuild | 226 +++++++++++++++++++++++++++
 2 files changed, 227 insertions(+)
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-04-02 04:28:01 UTC
This issue was resolved and addressed in
 GLSA 201904-06 at
by GLSA coordinator Aaron Bauman (b-man).