-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2547
               Moderate: Red Hat Gluster Storage 3.1 update
                              6 October 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Gluster Storage 3.1
Publisher:         Red Hat
Operating System:  Red Hat
                   Red Hat Enterprise Linux Server 6
Impact/Access:     Modify Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-8177  

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2015-1845.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Gluster Storage 3.1 update
Advisory ID:       RHSA-2015:1845-01
Product:           Red Hat Storage
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1845.html
Issue date:        2015-10-05
CVE Names:         CVE-2014-8177 
=====================================================================

1. Summary:

Red Hat Gluster Storage 3.1 Update 1, which fixes one security issue,
several bugs, and adds various enhancements, is now available for Red Hat
Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat Gluster Storage NFS 3.1 - x86_64
Red Hat Gluster Storage Nagios 3.1 on RHEL-6 - noarch
Red Hat Gluster Storage Server 3.1 on RHEL-6 - noarch, x86_64
Red Hat Storage Native Client for Red Hat Enterprise Linux 6 - x86_64

3. Description:

Red Hat Gluster Storage is a software only scale-out storage solution that
provides flexible and affordable unstructured data storage. It unifies data
storage and infrastructure, increases performance, and improves
availability and manageability to meet enterprise-level storage challenges.

Red Hat Gluster Storage's Unified File and Object Storage is built on
OpenStack's Object Storage (swift).

A flaw was found in the metadata constraints in Red Hat Gluster Storage's
OpenStack Object Storage (swiftonfile). By adding metadata in several
separate calls, a malicious user could bypass the max_meta_count
constraint, and store more metadata than allowed by the configuration.
(CVE-2014-8177)

This update also fixes numerous bugs and adds various enhancements. Space
precludes documenting all of these changes in this advisory. Users are
directed to the Red Hat Gluster Storage 3.1 Technical Notes, linked to in
the References section, for information on the most significant of these
changes.

This advisory introduces the following new features:

* Gdeploy is a tool which automates the process of creating, formatting,
and mounting bricks. When setting up a fresh cluster, gdeploy could be the
preferred choice of cluster set up, as manually executing numerous commands
can be error prone. The advantages of using gdeploy includes automated
brick creation, flexibility in choosing the drives to configure (sd, vd,
etc.), and flexibility in naming the logical volumes (LV) and volume groups
(VG). (BZ#1248899)

* The gstatus command is now fully supported. The gstatus command provides
an easy-to-use, high-level view of the health of a trusted storage pool
with a single command. It gathers information about the health of a Red Hat
Gluster Storage trusted storage pool for distributed, replicated,
distributed-replicated, dispersed, and distributed-dispersed volumes.
(BZ#1250453)

* You can now recover a bad file detected by BitRot from a replicated
volume. The information about the bad file will be logged in the scrubber
log file located at /var/log/glusterfs/scrub.log. (BZ#1238171)

* Two tailored tuned profiles are introduced to improve the performance for
specific Red Hat Gluster Storage workloads. They are: rhgs-sequential-io,
which improves performance of large files with sequential I/O workloads,
and rhgs-random-io, which improves performance of small files with random
I/O workloads (BZ# 1251360)

All users of Red Hat Gluster Storage are advised to apply this update.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1027723 - Quota: volume-reset shouldn't remove quota-deem-statfs, unless explicitly specified, when quota is enabled.
1064265 - quota: allowed to set soft-limit %age beyond 100%
1076033 - Unknown Key: <bricks> are reported when the glusterd was restarted
1091936 - Incase of ACL not set on a file, nfs4_getfacl should return a default acl
1134288 - "Unable to get transaction opinfo for transaction ID" error messages in glusterd logs
1178100 - [USS]: gluster volume reset <vol-name>, resets the uss configured option but snapd process continues to run
1213893 - rebalance stuck at 0 byte when auth.allow is set
1215816 - 1 mkdir generates tons of log messages from dht and disperse xlators
1225452 - [remove-brick]: Creation of file from NFS  writes to the decommissioned subvolume and subsequent lookup from fuse creates a link
1226665 - gf_store_save_value fails to check for errors, leading to emptying files in /var/lib/glusterd/
1226817 - nfs-ganesha: new volume creation tries to bring up glusterfs-nfs even when nfs-ganesha is already on
1227724 - Quota: Used space of the volume is wrongly calculated
1227759 - Write performance from a Windows client on 3-way replicated volume decreases substantially when one brick in the replica set is brought down
1228135 - [Bitrot] Gluster v set <volname> bitrot enable command succeeds , which is not supported to enable bitrot
1228158 - nfs-ganesha: error seen while delete node "Error: unable to create resource/fence device 'nfs5-cluster_ip-1', 'nfs5-cluster_ip-1' already exists on this system"
1229606 - Quota:  " E [quota.c:1197:quota_check_limit] 0-ecvol-quota: Failed to check quota size limit" in brick logs
1229621 - Quota: Seeing error message in brick logs "E [posix-handle.c:157:posix_make_ancestryfromgfid] 0-vol0-posix: could not read the link from the gfid handle /rhs/brick1/b1/.glusterfs/a3/f3/a3f3664f-df98-448e-b5c8-924349851c7e (No such file or directory)"
1231080 - Snapshot: When soft limit is reached, auto-delete is enable, create snapshot doesn't logs anything in log files
1232216 - [geo-rep]: UnboundLocalError: local variable 'fd' referenced before assignment
1232569 - [Backup]: Glusterfind list shows the session as corrupted on the peer node
1234213 - [Backup]: Password of the peer nodes prompted whenever a glusterfind session is deleted.
1234399 - `gluster volume heal <vol-name> split-brain' changes required for entry-split-brain
1234610 - ACL created on a dht.linkto file on a files that skipped rebalance
1234708 - Volume option cluster.enable-shared-storage is not listed in "volume set help-xml" output
1235182 - quota: marker accounting miscalculated when renaming a file on with write is in progress
1235571 - snapd crashed due to stack overflow
1235971 - nfs-ganesha: ganesha-ha.sh --status is actually same as "pcs status"
1236038 - Data Loss:Remove brick commit passing when remove-brick process has not even started(due to killing glusterd)
1236546 - [geo-rep]: killing brick from replica pair makes geo-rep session faulty with Traceback "ChangelogException"
1236672 - quota: brick crashes when create and remove performed in parallel
1236990 - glfsheal crashed
1238070 - snapd/quota/nfs runs on the RHGS node, even after that node was detached from trusted storage pool
1238071 - Quota: Quota Daemon doesn't start after node reboot
1238111 - Detaching a peer from the cluster doesn't remove snap related info and peer probe initiated from that node fails
1238116 - Gluster-swift object server leaks fds in failure cases (when exceptions are raised)
1238118 - nfs-ganesha: coredump for ganesha process post executing the volume start twice
1238147 - Object expirer daemon times out and raises exception while attempting to expire a million objects
1238171 - Not able to recover the corrupted file on Replica volume
1238398 - Unable to examine file in metadata split-brain after setting `replica.split-brain-choice' attribute to a particular replica
1238977 - Scrubber log should mark file corrupted message as Alert not as information
1239021 - AFR: gluster v restart force or brick process restart doesn't heal the files
1239075 - [geo-rep]: rename followed by deletes causes ESTALE
1240614 - Gluster nfs started running on one of the nodes of ganesha cluster, even though ganesha was running on it
1240657 - Deceiving log messages like "Failing STAT on gfid : split-brain observed. [Input/output error]" reported
1241385 - [Backup]: Glusterfind pre attribute '--output-prefix' not working as expected in case of DELETEs
1241761 - nfs-ganesha: coredump "pthread_spin_lock () from /lib64/libpthread.so.0"
1241807 - Brick crashed after a complete node failure
1241862 - EC volume: Replace bricks is not healing version of root directory
1241871 - Symlink mount fails for nfs-ganesha volume
1242803 - Quota list on a volume hangs after glusterd restart an a node.
1243542 - [RHEV-RHGS] App VMs paused due to IO error caused by split-brain, after initiating remove-brick operation
1243722 - glusterd crashed when a client which doesn't support SSL tries to mount a SSL enabled gluster volume
1243886 - huge mem leak in posix xattrop
1244415 - Enabling management SSL on a gluster cluster already configured can crash glusterd
1244527 - DHT-rebalance: Rebalance hangs on distribute volume when glusterd is stopped on peer node
1245162 - python-argparse not installed as a dependency package
1245165 - Some times files are not getting signed
1245536 - [RHGS-AMI] Same UUID generated across instances
1245542 - quota/marker: errors in log file 'Failed to get metadata for'
1245897 - gluster snapshot status --xml gives back unexpected non xml output
1245915 - snap-view:mount crash if debug mode is enabled
1245919 - USS: Take ref on root inode
1245924 - [Snapshot] Scheduler should check vol-name exists or not  before adding scheduled jobs
1246946 - critical message seen in glusterd log file, when detaching a peer, but no functional loss
1247445 - [upgrade] After in-service software upgrade from RHGS 2.1 to RHGS 3.1, self-heal daemon is not coming online
1247537 - yum groups for RHGS Server and Console  are listed under Available Language Groups instead of Available groups
1248899 - [Feature 3.1.1 gdeploy] Develop tool to setup thinp backend and create Gluster volumes
1249989 - [GSS] python-gluster packages not being treated as dependent package for gluster-swift packages
1250453 - [Feature]: Qualify gstatus to 3.1.1 release
1250821 - [RHGS 3.1 RHEL-7 AMI] RHEL-7 repo disabled by default, NFS and samba repos enabled by default
1251360 - Update RHGS tuned profiles for RHEL-6
1251925 - .trashcan is listed as container and breaks object expiration in gluster-swift
1253141 - [RHGS-AMI] RHUI repos not accessible on RHGS-3.1 RHEL-7 AMI
1254432 - gstatus: Overcommit field show wrong information when one of the node is down
1254514 - gstatus: Status message doesn;t show the storage node name which is down
1254866 - gstatus: Running gstatus with -b option gives error
1254991 - gdeploy: unmount doesn't remove fstab entries
1255015 - gdeploy: unmount fails with fstype parameter
1255308 - Inconsistent data returned when objects are modified from file interface
1255471 - [libgfapi] crash when NFS Ganesha Volume is 100% full
1257099 - gdeploy: checks missing for brick mounts when there are existing physical volumes
1257162 - gdeploy: volume force option doesn't work as expected
1257468 - gdeploy: creation of thin pool stuck after brick cleanup
1257509 - Disperse volume: df -h on a nfs mount throws Invalid argument error
1257525 - CVE-2014-8177 gluster-swift metadata constraints are not correctly enforced
1258434 - gdeploy: peer probe issues during an add-brick operation with fresh hosts
1258810 - gdeploy: change all references to brick_dir in config file
1258821 - gdeploy: inconsistency in the way backend setup and volume creation uses brick_dirs value
1259750 - DHT: Few files are missing after remove-brick operation
1260086 - snapshot: from nfs-ganesha mount no content seen in .snaps/<snapshot-name> directory
1260982 - gdeploy: ENOTEMPTY errors when gdeploy fails
1262236 - glusterd: disable ping timer b/w glusterd and make epoll thread count default 1
1262291 - `getfattr -n replica.split-brain-status <file>' command hung on the mount
1263094 - nfs-ganesha crashes due to usage of invalid fd in glfs_close
1263581 - nfs-ganesha: nfsd coredumps once quota limits cross while creating a file larger than the quota limit set
1263653 - dht: Avoid double unlock in dht_refresh_layout_cbk

6. Package List:

Red Hat Gluster Storage NFS 3.1:

Source:
nfs-ganesha-2.2.0-9.el6rhs.src.rpm

x86_64:
nfs-ganesha-2.2.0-9.el6rhs.x86_64.rpm
nfs-ganesha-debuginfo-2.2.0-9.el6rhs.x86_64.rpm
nfs-ganesha-gluster-2.2.0-9.el6rhs.x86_64.rpm

Red Hat Gluster Storage Nagios 3.1 on RHEL-6:

Source:
gluster-nagios-common-0.2.2-1.el6rhs.src.rpm
nagios-server-addons-0.2.2-1.el6rhs.src.rpm

noarch:
gluster-nagios-common-0.2.2-1.el6rhs.noarch.rpm
nagios-server-addons-0.2.2-1.el6rhs.noarch.rpm

Red Hat Gluster Storage Server 3.1 on RHEL-6:

Source:
gdeploy-1.0-12.el6rhs.src.rpm
gluster-nagios-addons-0.2.5-1.el6rhs.src.rpm
gluster-nagios-common-0.2.2-1.el6rhs.src.rpm
glusterfs-3.7.1-16.el6rhs.src.rpm
gstatus-0.65-1.el6rhs.src.rpm
openstack-swift-1.13.1-6.el6ost.src.rpm
redhat-storage-server-3.1.1.0-2.el6rhs.src.rpm
swiftonfile-1.13.1-5.el6rhs.src.rpm
vdsm-4.16.20-1.3.el6rhs.src.rpm

noarch:
gdeploy-1.0-12.el6rhs.noarch.rpm
gluster-nagios-common-0.2.2-1.el6rhs.noarch.rpm
openstack-swift-1.13.1-6.el6ost.noarch.rpm
openstack-swift-account-1.13.1-6.el6ost.noarch.rpm
openstack-swift-container-1.13.1-6.el6ost.noarch.rpm
openstack-swift-doc-1.13.1-6.el6ost.noarch.rpm
openstack-swift-object-1.13.1-6.el6ost.noarch.rpm
openstack-swift-proxy-1.13.1-6.el6ost.noarch.rpm
redhat-storage-server-3.1.1.0-2.el6rhs.noarch.rpm
swiftonfile-1.13.1-5.el6rhs.noarch.rpm
vdsm-cli-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-debug-plugin-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-gluster-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-hook-ethtool-options-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-hook-faqemu-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-hook-openstacknet-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-hook-qemucmdline-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-jsonrpc-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-python-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-python-zombiereaper-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-reg-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-tests-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-xmlrpc-4.16.20-1.3.el6rhs.noarch.rpm
vdsm-yajsonrpc-4.16.20-1.3.el6rhs.noarch.rpm

x86_64:
gluster-nagios-addons-0.2.5-1.el6rhs.x86_64.rpm
gluster-nagios-addons-debuginfo-0.2.5-1.el6rhs.x86_64.rpm
glusterfs-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-api-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-api-devel-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-cli-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-client-xlators-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-debuginfo-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-devel-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-fuse-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-ganesha-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-geo-replication-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-libs-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-rdma-3.7.1-16.el6rhs.x86_64.rpm
glusterfs-server-3.7.1-16.el6rhs.x86_64.rpm
gstatus-0.65-1.el6rhs.x86_64.rpm
gstatus-debuginfo-0.65-1.el6rhs.x86_64.rpm
python-gluster-3.7.1-16.el6rhs.x86_64.rpm
vdsm-4.16.20-1.3.el6rhs.x86_64.rpm
vdsm-debuginfo-4.16.20-1.3.el6rhs.x86_64.rpm

Red Hat Storage Native Client for Red Hat Enterprise Linux 6:

Source:
glusterfs-3.7.1-16.el6.src.rpm

x86_64:
glusterfs-3.7.1-16.el6.x86_64.rpm
glusterfs-api-3.7.1-16.el6.x86_64.rpm
glusterfs-api-devel-3.7.1-16.el6.x86_64.rpm
glusterfs-cli-3.7.1-16.el6.x86_64.rpm
glusterfs-client-xlators-3.7.1-16.el6.x86_64.rpm
glusterfs-debuginfo-3.7.1-16.el6.x86_64.rpm
glusterfs-devel-3.7.1-16.el6.x86_64.rpm
glusterfs-fuse-3.7.1-16.el6.x86_64.rpm
glusterfs-libs-3.7.1-16.el6.x86_64.rpm
glusterfs-rdma-3.7.1-16.el6.x86_64.rpm
python-gluster-3.7.1-16.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2014-8177
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3.1/html/Technical_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD4DBQFWElmqXlSAg2UNWIIRAoS4AJjPtCNBvpCBGOdoLCrTVZKPEU/EAJ9BOd7U
q65kLOt2tI8lW5GXiAps1w==
=zCq3
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVhMmaX6ZAP0PgtI9AQIFoQ/9HEDq5RzFwvdZF7MiIUnHRxen47TmIpUW
8SILJpQDTPluWMD57Gvl5JO+C1sj+t14t13s23FvWFiKeYffjnZyUr5HmVTvxp4z
zthCiOjmS0p3v9WZhtP20LD+H1+Mj5+X26dy4q8UfLKRwsAfj96bx5Lc1wEDGk8M
wdI2PEBuuuXtZT4256nBv336XEX9a/AnFNU8fFVNbtkVQG8alNJp1dMewwr1R6b+
/1cj4IQXWCRKkBP54Dc6M+qjYhNLRwSGY6UqQEpxoHNxfZ/+f3vJbpRnrpJavwhx
JuRc2pmPcquTESgsOZoEVl1neZqtu5h9IQNVoZQUbJlN5DAt6mceN7XYYzt51AiJ
9/ODkFMNVGq59IbO+u6LGVyx8bY464K8EPQRspQlPKbAkOe9nn5e4u4U0Z4d2YCU
dir+XcRJcjX4CSmnREupqp6yklKoesp9AhWWADCL44zxKVhPphMwAJOgsd1i0HTq
yhMDTTDh0I29tskOv+VfzTVGLn5B2KsOhDXBAYNRKn18/PkQ4NEfk1MqbHZLmJCO
LssAGtkT2S5Qe/6T5awZWw7UoUMc7rnsEJkhlhEJs0ju3zGTrsRvFU48+6HLg9L6
g0evT9zCd466l9nUXEekIf0gm7lYNqJ+X/g5l4rQ2MM/HxkrEgMoP/YBljKNTgxi
yA8ROeyLm7I=
=6KOV
-----END PGP SIGNATURE-----