CVE-2018-14651

NameCVE-2018-14651
DescriptionIt was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1565-1
NVD severitymedium (attack range: remote)
Debian Bugs912997

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glusterfs (PTS)jessie3.5.2-2+deb8u3vulnerable
jessie (security)3.5.2-2+deb8u5fixed
stretch3.8.8-1fixed
buster, sid5.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glusterfssource(unstable)5.1-1medium912997
glusterfssourcejessie3.5.2-2+deb8u5mediumDLA-1565-1
glusterfssourcestretch(not affected)

Notes

[stretch] - glusterfs <not-affected> (Incomplete fixes for CVE-2018-109{26,27,28,29,30} not applied)
https://www.openwall.com/lists/oss-security/2018/10/31/5
https://bugzilla.redhat.com/show_bug.cgi?id=1632557
https://review.gluster.org/#/c/glusterfs/+/21527/
http://git.gluster.org/cgit/glusterfs.git/commit/?id=5fdb7ae37f602894f81a2cadc5a4c609a4c85427

Search for package or bug name: Reporting problems