DescriptionThe __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs781018

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glusterfs (PTS)jessie3.5.2-2+deb8u3fixed
jessie (security)3.5.2-2+deb8u5fixed
buster, sid5.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glusterfssourcesqueeze(not affected)
glusterfssourcewheezy(not affected)


[wheezy] - glusterfs <not-affected> (Vulnerability introduced after 3.2 release)
[squeeze] - glusterfs <not-affected> (Vulnerability introduced after 3.2 release) (3.5) (master)
GlusterFS after version 3.2 got changes in the RPC handling which seem to
introduce the vulnerability. With 3.2.x issue is not reproducible.

Search for package or bug name: Reporting problems