RHSA-2017:0484 - Security Advisory

Topic

An update is now available for Red Hat Gluster Storage 3.2 on Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Gluster Storage is a software only scale-out storage solution that provides flexible and affordable unstructured data storage. It unifies data storage and infrastructure, increases performance, and improves availability and manageability to meet enterprise-level storage challenges.

The following packages have been upgraded to a later upstream version: glusterfs (3.8.4), redhat-storage-server (3.2.0.3). (BZ#1362373)

Security Fix(es):

• It was found that glusterfs-server RPM package would write file with predictable name into world readable /tmp directory. A local attacker could potentially use this flaw to escalate their privileges to root by modifying the shell script during the installation of the glusterfs-server package. (CVE-2015-1795)

This issue was discovered by Florian Weimer of Red Hat Product Security.

Bug Fix(es):

• Bricks remain stopped if server quorum is no longer met, or if server quorum is disabled, to ensure that bricks in maintenance are not started incorrectly. (BZ#1340995)
• The metadata cache translator has been updated to improve Red Hat Gluster Storage performance when reading small files. (BZ#1427783)
• The 'gluster volume add-brick' command is no longer allowed when the replica count has increased and any replica bricks are unavailable. (BZ#1404989)
• Split-brain resolution commands work regardless of whether client-side heal or the self-heal daemon are enabled. (BZ#1403840)

Enhancement(s):

• Red Hat Gluster Storage now provides Transport Layer Security support for Samba and NFS-Ganesha. (BZ#1340608, BZ#1371475)
• A new reset-sync-time option enables resetting the sync time attribute to zero when required. (BZ#1205162)
• Tiering demotions are now triggered at most 5 seconds after a hi-watermark breach event. Administrators can use the cluster.tier-query-limit volume parameter to specify the number of records extracted from the heat database during demotion. (BZ#1361759)
• The /var/log/glusterfs/etc-glusterfs-glusterd.vol.log file is now named /var/log/glusterfs/glusterd.log. (BZ#1306120)
• The 'gluster volume attach-tier/detach-tier' commands are considered deprecated in favor of the new commands, 'gluster volume tier VOLNAME attach/detach'. (BZ#1388464)
• The HA_VOL_SERVER parameter in the ganesha-ha.conf file is no longer used by Red Hat Gluster Storage. (BZ#1348954)
• The volfile server role can now be passed to another server when a server is unavailable. (BZ#1351949)
• Ports can now be reused when they stop being used by another service. (BZ#1263090)
• The thread pool limit for the rebalance process is now dynamic, and is determined based on the number of available cores. (BZ#1352805)
• Brick verification at reboot now uses UUID instead of brick path. (BZ#1336267)
• LOGIN_NAME_MAX is now used as the maximum length for the slave user instead of __POSIX_LOGIN_NAME_MAX, allowing for up to 256 characters including the NULL byte. (BZ#1400365)
• The client identifier is now included in the log message to make it easier to determine which client failed to connect. (BZ#1333885)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Gluster Storage Server for On-premise 3 for RHEL 6 x86_64

Fixes

• BZ - 1200927 - CVE-2015-1795 glusterfs: glusterfs-server %pretrans rpm script temporary file issue
• BZ - 1362373 - [RHEL6] Rebase glusterfs at RHGS-3.2.0 release
• BZ - 1375059 - [RHEL-6] Include vdsm and related dependency packages at RHGS 3.2.0 ISO
• BZ - 1382319 - [RHEL6] SELinux prevents FUSE mounting of RDMA transport type volumes
• BZ - 1403587 - [Perf] : pcs cluster resources went into stopped state during Multithreaded perf tests on RHGS layered over RHEL 6
• BZ - 1403919 - [Ganesha] : pcs status is not the same across the ganesha cluster in RHEL 6 environment
• BZ - 1404551 - Lower version of packages subscription-manager, python-rhsm found in RHGS3.2 RHEL6 ISO.
• BZ - 1424944 - [Ganesha] : Unable to bring up a Ganesha HA cluster on RHEL 6.9.
• BZ - 1425748 - [GANESHA] Adding a node to existing ganesha cluster is failing on rhel 6.9
• BZ - 1432972 - /etc/pki/product/69.pem shows version as 6.8 for RHGS3.2.0(6.9)

CVEs

• CVE-2015-1795

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.2/html/3.2_release_notes/