DescriptionThe __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs781018

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glusterfs (PTS)stretch3.8.8-1fixed
bullseye, sid7.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glusterfssourcesqueeze(not affected)
glusterfssourcewheezy(not affected)


[wheezy] - glusterfs <not-affected> (Vulnerability introduced after 3.2 release)
[squeeze] - glusterfs <not-affected> (Vulnerability introduced after 3.2 release) (3.5) (master)
GlusterFS after version 3.2 got changes in the RPC handling which seem to
introduce the vulnerability. With 3.2.x issue is not reproducible.

Search for package or bug name: Reporting problems