CVE-2018-14651

NameCVE-2018-14651
DescriptionIt was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1565-1
Debian Bugs912997

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glusterfs (PTS)buster5.5-3fixed
bullseye9.2-1fixed
bookworm10.3-5fixed
sid, trixie11.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glusterfssourcejessie3.5.2-2+deb8u5DLA-1565-1
glusterfssourcestretch(not affected)
glusterfssource(unstable)5.1-1912997

Notes

[stretch] - glusterfs <not-affected> (Incomplete fixes for CVE-2018-109{26,27,28,29,30} not applied)
https://www.openwall.com/lists/oss-security/2018/10/31/5
https://bugzilla.redhat.com/show_bug.cgi?id=1632557
https://review.gluster.org/#/c/glusterfs/+/21527/
http://git.gluster.org/cgit/glusterfs.git/commit/?id=5fdb7ae37f602894f81a2cadc5a4c609a4c85427

Search for package or bug name: Reporting problems