Debian Glusterfs vulnerabilities

CVE-2018-10924 [MEDIUM] CVE-2018-10924: glusterfs - It was discovered that fsync(2) system call in glusterfs client code leaks memor... It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine. Scope: local bookworm: resolved (fixed in 4.0.1-1) bullseye: resolved (fixed in 4.0.1-1) forky: resolved (fixed in 4.0.1-1) sid: resolve

CVE-2018-14652 [MEDIUM] CVE-2018-14652: glusterfs - The Gluster file system through versions 3.12 and 4.1.4 is vulnerable to a buffe... The Gluster file system through versions 3.12 and 4.1.4 is vulnerable to a buffer overflow in the 'features/index' translator via the code handling the 'GF_XATTR_CLRLK_CMD' xattr in the 'pl_getxattr' function. A remote authenticated attacker could exploit this on a mounted volume to cause a denial of service. Scope: local bookworm: resolved (fixed in 5.0-1) bull

CVE-2018-14654 [MEDIUM] CVE-2018-14654: glusterfs - The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'fea... The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote attacker with access to mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the target server. Scope: local bookworm: resolved (fixed in 5.1-1) bullseye: resolved (fixed in 5.1-1) forky: reso

CVE-2018-1112 [HIGH] CVE-2018-1112: glusterfs - glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.a... glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resol

CVE-2017-15096 [LOW] CVE-2017-15096: glusterfs - A flaw was found in GlusterFS in versions prior to 3.10. A null pointer derefere... A flaw was found in GlusterFS in versions prior to 3.10. A null pointer dereference in send_brick_req function in glusterfsd/src/gf_attach.c may be used to cause denial of service. Scope: local bookworm: resolved (fixed in 3.12.2-2) bullseye: resolved (fixed in 3.12.2-2) forky: resolved (fixed in 3.12.2-2) sid: resolved (fixed in 3.12.2-2) trixie: resolved (fixed i

CVE-2015-1795 [HIGH] CVE-2015-1795: glusterfs - Red Hat Gluster Storage RPM Package 3.2 allows local users to gain privileges an... Red Hat Gluster Storage RPM Package 3.2 allows local users to gain privileges and execute arbitrary code as root. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2014-3619 [MEDIUM] CVE-2014-3619: glusterfs - The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attacke... The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header. Scope: local bookworm: resolved (fixed in 3.5.2-2) bullseye: resolved (fixed in 3.5.2-2) forky: resolved (fixed in 3.5.2-2) sid: resolved (fixed in 3.5.2-2) trixie: resolved (fixed in 3.5.2-2)

CVE-2012-5635 [LOW] CVE-2012-5635: glusterfs - The GlusterFS functionality in Red Hat Storage Management Console 2.0, Native Cl... The GlusterFS functionality in Red Hat Storage Management Console 2.0, Native Client, and Server 2.0 allows local users to overwrite arbitrary files via a symlink attack on multiple temporary files created by (1) tests/volume.rc, (2) extras/hook-scripts/S30samba-stop.sh, and possibly other vectors, different vulnerabilities than CVE-2012-4417. Scope: local bookworm:

CVE-2012-4417 [LOW] CVE-2012-4417: glusterfs - GlusterFS 3.3.0, as used in Red Hat Storage server 2.0, allows local users to ov... GlusterFS 3.3.0, as used in Red Hat Storage server 2.0, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names. Scope: local bookworm: resolved (fixed in 3.2.7-5) bullseye: resolved (fixed in 3.2.7-5) forky: resolved (fixed in 3.2.7-5) sid: resolved (fixed in 3.2.7-5) trixie: resolved (fixed in 3.2.7-5)