Michael Adam
2017-Dec-18 17:10 UTC
[Gluster-users] Heketi v5.0.1 security release available for download
Heketi v5.0.1 is now available. This release[1] fixes a flaw that was found in heketi API that permits issuing of OS commands through specially crafted requests, possibly leading to escalation of privileges. More details can be obtained at CVE-2017-15103. [2] If authentication is turned "on" in heketi configuration, the flaw can be exploited only by those who possess authentication key. In case you have a deployment without authentication set to true, we recommend that you turn it on and also upgrade to version with fix. We thank Markus Krell of NTT Security for identifying the vulnerability and notifying us about the it. The fix was provided by Raghavendra Talur of Red Hat. Note that previous versions of Heketi are discontinued and users are strongly recommended to upgrade to Heketi 5.0.1. Michael Adam on behalf of the Heketi team [1] https://github.com/heketi/heketi/releases/tag/v5.0.1 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15103 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: not available URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20171218/3c3598a8/attachment.sig>
Niels de Vos
2017-Dec-19 12:29 UTC
[Gluster-users] [heketi-devel] Heketi v5.0.1 security release available for download
On Mon, Dec 18, 2017 at 06:10:29PM +0100, Michael Adam wrote:> > Heketi v5.0.1 is now available.Packages for the CentOS Storage SIG are now becomnig available in the testing repository. Packages can be obtained (soon) with the following steps: # yum --enablerepo=centos-gluster*-test update heketi The update will show up for systems that have the repository files from the centos-release-gluster{310,312,313} packages. Other repositories will not receive any updates anymore. I'd appreciate it if someone could do basic testing of the update. When some feedback is provided, the package can be marked for release to the CentOS mirrors. Niels> This release[1] fixes a flaw that was found in heketi API that > permits issuing of OS commands through specially crafted > requests, possibly leading to escalation of privileges. More > details can be obtained at CVE-2017-15103. [2] > > If authentication is turned "on" in heketi configuration, the > flaw can be exploited only by those who possess authentication > key. In case you have a deployment without authentication set to > true, we recommend that you turn it on and also upgrade to > version with fix. > > > We thank Markus Krell of NTT Security for identifying > the vulnerability and notifying us about the it. > > The fix was provided by Raghavendra Talur of Red Hat. > > > Note that previous versions of Heketi are discontinued > and users are strongly recommended to upgrade to Heketi 5.0.1. > > > Michael Adam on behalf of the Heketi team > > > [1] https://github.com/heketi/heketi/releases/tag/v5.0.1 > [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15103> _______________________________________________ > heketi-devel mailing list > heketi-devel at gluster.org > http://lists.gluster.org/mailman/listinfo/heketi-devel