aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2018-09-13 18:15:37 +0800
committerBruce Ashfield <bruce.ashfield@windriver.com>2018-09-18 03:07:53 -0400
commit4a1ffcdc9939cf3280fd803901f5175502a5ef8f (patch)
treeba18c25a3328cbf93076f9d82318323f81f339d2
parentbf98d2e27d31804f559bfc9f7cb0582f3c258ac6 (diff)
downloadmeta-cloud-services-4a1ffcdc9939cf3280fd803901f5175502a5ef8f.zip
meta-cloud-services-4a1ffcdc9939cf3280fd803901f5175502a5ef8f.tar.gz
meta-cloud-services-4a1ffcdc9939cf3280fd803901f5175502a5ef8f.tar.bz2
glusterfs: fix CVE-2018-10841
Backport patch to fix the following CVE. CVE: CVE-2018-10841 Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
-rw-r--r--recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch43
-rw-r--r--recipes-extended/glusterfs/glusterfs.inc1
2 files changed, 44 insertions, 0 deletions
diff --git a/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch b/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
new file mode 100644
index 0000000..dcbb435
--- /dev/null
+++ b/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
@@ -0,0 +1,43 @@
+From e79741414777c25e5c2a08e6c31619a0fbaad058 Mon Sep 17 00:00:00 2001
+From: Mohit Agrawal <moagrawa@redhat.com>
+Date: Wed, 20 Jun 2018 16:13:00 +0530
+Subject: [PATCH 3/3] glusterfs: access trusted peer group via remote-host
+ command
+
+Problem: In SSL environment the user is able to access volume
+ via remote-host command without adding node in a trusted pool
+
+Solution: Change the list of rpc program in glusterd.c at the
+ time of initialization while SSL is enabled
+
+BUG: 1593232
+Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199
+fixes: bz#1593232
+Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
+
+Upstream-Status: Backport
+Fix CVE-2018-10841
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ xlators/mgmt/glusterd/src/glusterd.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/xlators/mgmt/glusterd/src/glusterd.c b/xlators/mgmt/glusterd/src/glusterd.c
+index ef20689..5e0ed8d 100644
+--- a/xlators/mgmt/glusterd/src/glusterd.c
++++ b/xlators/mgmt/glusterd/src/glusterd.c
+@@ -1646,11 +1646,6 @@ init (xlator_t *this)
+ goto out;
+ }
+ /*
+- * With strong authentication, we can afford to allow
+- * privileged operations over TCP.
+- */
+- gd_inet_programs[1] = &gd_svc_cli_prog;
+- /*
+ * This is the only place where we want secure_srvr to reflect
+ * the management-plane setting.
+ */
+--
+2.7.4
+
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
index 8bf5653..ab63a9a 100644
--- a/recipes-extended/glusterfs/glusterfs.inc
+++ b/recipes-extended/glusterfs/glusterfs.inc
@@ -22,6 +22,7 @@ SRC_URI += "file://glusterd.init \
file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \
file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \
file://0002-server-auth-add-option-for-strict-authentication.patch \
+ file://0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch \
"
LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"