Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2018:3431 - Security Advisory
Issued:
2018-10-31
Updated:
2018-10-31

RHSA-2018:3431 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: glusterfs security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated glusterfs packages that fix multiple security issues and bugs are now available for Red Hat Gluster Storage 3.4 on Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

GlusterFS is a key building block of Red Hat Gluster Storage. It is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system.

Security Fix(es):

  • glusterfs: glusterfs server exploitable via symlinks to relative paths (CVE-2018-14651)
  • glusterfs: Buffer overflow in "features/locks" translator allows for denial of service (CVE-2018-14652)
  • glusterfs: Heap-based buffer overflow via "gf_getspec_req" RPC message (CVE-2018-14653)
  • glusterfs: "features/index" translator can create arbitrary, empty files (CVE-2018-14654)
  • glusterfs: Unlimited file creation via "GF_XATTR_IOSTATS_DUMP_KEY" xattr allows for denial of service (CVE-2018-14659)
  • glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion (CVE-2018-14660)
  • glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service (CVE-2018-14661)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting these issues.

This update provides the following bug fix(es):

  • MD5 instances are replaced with FIPS compliant SHA256 checksums and

glusterd no longer crashes when run on a FIPS enabled machine. (BZ#1459709)

  • The flock is unlocked specifically and the status file is updated so that

the reference is not leaked to any worker or agent process. As a result of
this fix, all workers come up without fail. (BZ#1623749)

  • All HTIME index files are checked for the specified start and end times,

and the History API does not fail when multiple HTIME files exist.
(BZ#1627639)

  • After upgrading to Red Hat Gluster Storage 3.4 from earlier versions of

Red Hat Gluster Storage, the volume size displayed by the df command was
smaller than the actual volume size. This has been fixed and the df command
now shows the correct size for all volumes. (BZ#1630997)

  • The algorithm to disable the eager-lock is modified and it disables only

when multiple write operations are trying to modify a file at the same
time. This led to performance improvement while a write operation is
performed on a file irrespective of the number of times it is opened at the
same time for a read operation. (BZ#1630688)

  • heal-info does not consider the presence of dirty markers as an

indication of split-brain and does not display these entries to be in a
split-brain state. (BZ#1610743)

All users of Red Hat Gluster Storage are advised to upgrade to these
updated packages, which provide numerous bug fixes and enhancements.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 6 x86_64
  • Red Hat Gluster Storage Server for On-premise 3 for RHEL 6 x86_64

Fixes

  • BZ - 1631576 - CVE-2018-14654 glusterfs: "features/index" translator can create arbitrary, empty files
  • BZ - 1632119 - [RHEL6] Some of the Posix compliance tests are failing on gluster mount
  • BZ - 1632557 - CVE-2018-14651 glusterfs: glusterfs server exploitable via symlinks to relative paths
  • BZ - 1632974 - CVE-2018-14652 glusterfs: Buffer overflow in "features/locks" translator allows for denial of service
  • BZ - 1633431 - CVE-2018-14653 glusterfs: Heap-based buffer overflow via "gf_getspec_req" RPC message
  • BZ - 1635926 - CVE-2018-14660 glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion
  • BZ - 1635929 - CVE-2018-14659 glusterfs: Unlimited file creation via "GF_XATTR_IOSTATS_DUMP_KEY" xattr allows for denial of service
  • BZ - 1636880 - CVE-2018-14661 glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service
  • BZ - 1643194 - [RHEL6] update with entitlement certificate for RHEL 6.10

CVEs

  • CVE-2018-14651
  • CVE-2018-14652
  • CVE-2018-14653
  • CVE-2018-14654
  • CVE-2018-14659
  • CVE-2018-14660
  • CVE-2018-14661

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 6

SRPM
glusterfs-3.12.2-25.el6.src.rpm SHA-256: fcce92860ea5da9d89ad37262693172971ddf8ace25f7744d0f5f6b1c4eaa0c8
x86_64
glusterfs-3.12.2-25.el6.x86_64.rpm SHA-256: 3077897a4c6982af7087c6593ca4070255b12b0661259e67e8d94ad42512449b
glusterfs-api-3.12.2-25.el6.x86_64.rpm SHA-256: a887bb4c1d8f7ad34007e052af94701db4f167f5fa8859dee82dc97cace2c8a3
glusterfs-api-devel-3.12.2-25.el6.x86_64.rpm SHA-256: 52cf2960559810d33833d22006229425ca10687ac94cf6182ac00a254a132ceb
glusterfs-cli-3.12.2-25.el6.x86_64.rpm SHA-256: db695703cf2654b42b28c44bfabd4162f2b86b5567986118b5009906b43920ea
glusterfs-client-xlators-3.12.2-25.el6.x86_64.rpm SHA-256: 8168276ba22d6c86b6b361148b35f439cb955537ab22c00bd8e10c2cc734a337
glusterfs-debuginfo-3.12.2-25.el6.x86_64.rpm SHA-256: 8f1e82e8488279a14757d80ae6614a02f9024814909c90012486de2117a6da89
glusterfs-devel-3.12.2-25.el6.x86_64.rpm SHA-256: 0d384f73aad08fac44ad153863e4be9fbee956214023c4f06e60bc0c4ff21372
glusterfs-fuse-3.12.2-25.el6.x86_64.rpm SHA-256: 0071978bd98be57a2873ddb80365b36fc27c887e93948a399463846384a8661e
glusterfs-libs-3.12.2-25.el6.x86_64.rpm SHA-256: 85dd234269ca1afaeea2396687c509a51b43becbb9327c37302b86f48ba92dda
glusterfs-rdma-3.12.2-25.el6.x86_64.rpm SHA-256: 73b374f0ac9222ca01e32777488756c028a00cf0f51013b2cefd2f30d17e30f0
python2-gluster-3.12.2-25.el6.x86_64.rpm SHA-256: ab3f14e6a6f1f696921d8b04391fb58d3cab49ec17a9126eae00ac374724cf83

Red Hat Gluster Storage Server for On-premise 3 for RHEL 6

SRPM
glusterfs-3.12.2-25.el6rhs.src.rpm SHA-256: ba43366ee9bc17058b420ce8ff2265ea162333bbb3bd2e1c582a166491aa02b2
redhat-storage-server-3.4.1.0-1.el6rhs.src.rpm SHA-256: 9f650fae63bf9a41fbefacd7767f26f1cbd6d4e0d537c96c8988bbb1cb8e9186
x86_64
glusterfs-3.12.2-25.el6rhs.x86_64.rpm SHA-256: e354ef46e8f7e577c303a3f14cfe4224d3e3c37eb3ba369a3808eaaa0680e11f
glusterfs-api-3.12.2-25.el6rhs.x86_64.rpm SHA-256: d3b1ab7ce521a11568a4ab4588d47ec76a060ad5b0c892036274d03fa39c605a
glusterfs-api-devel-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 452e1b6e9c6874ccd1415332bf66788f5e3251053f886657fd5a07a0c8151c44
glusterfs-cli-3.12.2-25.el6rhs.x86_64.rpm SHA-256: d8165130269338b275ff8fe95ddab36f28f9d06ed2a6814fb4903d790a383ace
glusterfs-client-xlators-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 41c9fe87699363bd11b75970332be4a333d94b5769b1091d3bf9834eb6bdb927
glusterfs-debuginfo-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 8c35d3b0e60f716d848e9bccb565a0c6cf89b9c5c6b2cec15a19cb855975ecf2
glusterfs-devel-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 20c87d6da42fdb4232ecf49e4f0e1f5a35cf2b9a869a233db33b2a07cddae37f
glusterfs-events-3.12.2-25.el6rhs.x86_64.rpm SHA-256: a66b06bc258ae43b2f21e41ed0636d2487ffc089fcbc40752dc50cb09fa27a1a
glusterfs-fuse-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 8293409940e4b3673fe1737c3d5bcec7d1a90ee3995d2a10fd28a945b4713c25
glusterfs-ganesha-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 0b471bc7be46d8fbf89580c17788d5632bb943c1e7963d93b85795ec1254dc88
glusterfs-geo-replication-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 508c9d5ab7c824579c4f7a382f3133c81cae63bc60dd30af65b47beca04dede8
glusterfs-libs-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 1dac75297e423dbf09173d99ab39f6ce2fadbf20e85a303ceecdb2d689115e2c
glusterfs-rdma-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 158932925afdbc19e615c60fb4725df3358c60ee935ce399b995177691ed8dad
glusterfs-server-3.12.2-25.el6rhs.x86_64.rpm SHA-256: 8a6346aa49714a42b576760d57575b1dc857c7508e4f5c923d27586dc5339df7
python2-gluster-3.12.2-25.el6rhs.x86_64.rpm SHA-256: d289625dacaff6be1bbec99eb3f5d76ed2b8c3c5bc573fbede3e1fbec32a37a1
redhat-storage-server-3.4.1.0-1.el6rhs.noarch.rpm SHA-256: 3b064933808e16f9a730f999d43114852ac9f2d72886b1d6d07f9438e768a45b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter