On Mon, Dec 18, 2017 at 06:10:29PM +0100, Michael Adam wrote: > > Heketi v5.0.1 is now available. Packages for the CentOS Storage SIG are now becomnig available in the testing repository. Packages can be obtained (soon) with the following steps: # yum --enablerepo=centos-gluster*-test update heketi The update will show up for systems that have the repository files from the centos-release-gluster{310,312,313} packages. Other repositories will not receive any updates anymore. I'd appreciate it if someone could do basic testing of the update. When some feedback is provided, the package can be marked for release to the CentOS mirrors. Niels > This release[1] fixes a flaw that was found in heketi API that > permits issuing of OS commands through specially crafted > requests, possibly leading to escalation of privileges. More > details can be obtained at CVE-2017-15103. [2] > > If authentication is turned "on" in heketi configuration, the > flaw can be exploited only by those who possess authentication > key. In case you have a deployment without authentication set to > true, we recommend that you turn it on and also upgrade to > version with fix. > > > We thank Markus Krell of NTT Security for identifying > the vulnerability and notifying us about the it. > > The fix was provided by Raghavendra Talur of Red Hat. > > > Note that previous versions of Heketi are discontinued > and users are strongly recommended to upgrade to Heketi 5.0.1. > > > Michael Adam on behalf of the Heketi team > > > [1] https://github.com/heketi/heketi/releases/tag/v5.0.1 > [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15103 > _______________________________________________ > heketi-devel mailing list > heketi-devel@xxxxxxxxxxx > http://lists.gluster.org/mailman/listinfo/heketi-devel _______________________________________________ Gluster-users mailing list Gluster-users@xxxxxxxxxxx http://lists.gluster.org/mailman/listinfo/gluster-users