[RHSA-2017:0484-01] Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update

bugzilla at redhat.com bugzilla at redhat.com
Thu Mar 23 07:24:18 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update
Advisory ID:       RHSA-2017:0484-01
Product:           Red Hat Gluster Storage
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2017-0484.html
Issue date:        2017-03-23
CVE Names:         CVE-2015-1795 
=====================================================================

1. Summary:

An update is now available for Red Hat Gluster Storage 3.2 on Red Hat
Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Gluster Storage Server 3.2 on RHEL-6 - noarch, x86_64
Red Hat Storage Native Client for Red Hat Enterprise Linux 6 - noarch, x86_64

3. Description:

Red Hat Gluster Storage is a software only scale-out storage solution that
provides flexible and affordable unstructured data storage. It unifies data
storage and infrastructure, increases performance, and improves
availability and manageability to meet enterprise-level storage challenges.

The following packages have been upgraded to a later upstream version:
glusterfs (3.8.4), redhat-storage-server (3.2.0.3). (BZ#1362373)

Security Fix(es):

* It was found that glusterfs-server RPM package would write file with
predictable name into world readable /tmp directory. A local attacker could
potentially use this flaw to escalate their privileges to root by modifying
the shell script during the installation of the glusterfs-server package.
(CVE-2015-1795)

This issue was discovered by Florian Weimer of Red Hat Product Security.

Bug Fix(es):

* Bricks remain stopped if server quorum is no longer met, or if server
quorum is disabled, to ensure that bricks in maintenance are not started
incorrectly. (BZ#1340995)

* The metadata cache translator has been updated to improve Red Hat Gluster
Storage performance when reading small files. (BZ#1427783)

* The 'gluster volume add-brick' command is no longer allowed when the
replica count has increased and any replica bricks are unavailable.
(BZ#1404989)

* Split-brain resolution commands work regardless of whether client-side
heal or the self-heal daemon are enabled. (BZ#1403840)

Enhancement(s):

* Red Hat Gluster Storage now provides Transport Layer Security support for
Samba and NFS-Ganesha. (BZ#1340608, BZ#1371475)

* A new reset-sync-time option enables resetting the sync time attribute to
zero when required. (BZ#1205162)

* Tiering demotions are now triggered at most 5 seconds after a
hi-watermark breach event. Administrators can use the
cluster.tier-query-limit volume parameter to specify the number of records
extracted from the heat database during demotion. (BZ#1361759)

* The /var/log/glusterfs/etc-glusterfs-glusterd.vol.log file is now named
/var/log/glusterfs/glusterd.log. (BZ#1306120)

* The 'gluster volume attach-tier/detach-tier' commands are considered
deprecated in favor of the new commands, 'gluster volume tier VOLNAME
attach/detach'. (BZ#1388464)

* The HA_VOL_SERVER parameter in the ganesha-ha.conf file is no longer used
by Red Hat Gluster Storage. (BZ#1348954)

* The volfile server role can now be passed to another server when a server
is unavailable. (BZ#1351949)

* Ports can now be reused when they stop being used by another service.
(BZ#1263090)

* The thread pool limit for the rebalance process is now dynamic, and is
determined based on the number of available cores. (BZ#1352805)

* Brick verification at reboot now uses UUID instead of brick path.
(BZ#1336267)

* LOGIN_NAME_MAX is now used as the maximum length for the slave user
instead of __POSIX_LOGIN_NAME_MAX, allowing for up to 256 characters
including the NULL byte. (BZ#1400365)

* The client identifier is now included in the log message to make it
easier to determine which client failed to connect. (BZ#1333885)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1200927 - CVE-2015-1795 glusterfs: glusterfs-server %pretrans rpm script temporary file issue
1362373 - [RHEL6] Rebase glusterfs at RHGS-3.2.0 release
1375059 - [RHEL-6] Include vdsm and related dependency packages at RHGS 3.2.0 ISO
1382319 - [RHEL6] SELinux prevents FUSE mounting of RDMA transport type volumes
1403587 - [Perf] : pcs cluster resources went into stopped state during Multithreaded perf tests on RHGS layered over RHEL 6
1403919 - [Ganesha] : pcs status is not the same across the ganesha cluster in RHEL 6 environment
1404551 - Lower version of packages  subscription-manager, python-rhsm found in RHGS3.2 RHEL6 ISO.
1424944 - [Ganesha] : Unable to bring up a Ganesha HA cluster on RHEL 6.9.
1425748 - [GANESHA] Adding a node to existing ganesha cluster is failing on rhel 6.9
1432972 - /etc/pki/product/69.pem shows version as 6.8 for RHGS3.2.0(6.9)

6. Package List:

Red Hat Gluster Storage Server 3.2 on RHEL-6:

Source:
glusterfs-3.8.4-18.el6rhs.src.rpm
redhat-storage-server-3.2.0.3-1.el6rhs.src.rpm

noarch:
python-gluster-3.8.4-18.el6rhs.noarch.rpm
redhat-storage-server-3.2.0.3-1.el6rhs.noarch.rpm

x86_64:
glusterfs-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-api-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-api-devel-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-cli-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-client-xlators-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-debuginfo-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-devel-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-events-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-fuse-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-ganesha-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-geo-replication-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-libs-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-rdma-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-server-3.8.4-18.el6rhs.x86_64.rpm

Red Hat Storage Native Client for Red Hat Enterprise Linux 6:

Source:
glusterfs-3.8.4-18.el6.src.rpm

noarch:
python-gluster-3.8.4-18.el6.noarch.rpm

x86_64:
glusterfs-3.8.4-18.el6.x86_64.rpm
glusterfs-api-3.8.4-18.el6.x86_64.rpm
glusterfs-api-devel-3.8.4-18.el6.x86_64.rpm
glusterfs-cli-3.8.4-18.el6.x86_64.rpm
glusterfs-client-xlators-3.8.4-18.el6.x86_64.rpm
glusterfs-debuginfo-3.8.4-18.el6.x86_64.rpm
glusterfs-devel-3.8.4-18.el6.x86_64.rpm
glusterfs-fuse-3.8.4-18.el6.x86_64.rpm
glusterfs-libs-3.8.4-18.el6.x86_64.rpm
glusterfs-rdma-3.8.4-18.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-1795
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.2/html/3.2_release_notes/

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFY03feXlSAg2UNWIIRAi0IAKCAPNVKyHaPOco5w6QEeh8tB+oAfgCff5vP
dPfGgxihI4HOWaOS0LIXdPo=
=UX0C
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list