Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0787
Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix,
and enhancement update
24 March 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Gluster Storage
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2015-1795
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2017-0484.html
https://rhn.redhat.com/errata/RHSA-2017-0486.html
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update
Advisory ID: RHSA-2017:0484-01
Product: Red Hat Gluster Storage
Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0484.html
Issue date: 2017-03-23
CVE Names: CVE-2015-1795
=====================================================================
1. Summary:
An update is now available for Red Hat Gluster Storage 3.2 on Red Hat
Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Gluster Storage Server 3.2 on RHEL-6 - noarch, x86_64
Red Hat Storage Native Client for Red Hat Enterprise Linux 6 - noarch, x86_64
3. Description:
Red Hat Gluster Storage is a software only scale-out storage solution that
provides flexible and affordable unstructured data storage. It unifies data
storage and infrastructure, increases performance, and improves
availability and manageability to meet enterprise-level storage challenges.
The following packages have been upgraded to a later upstream version:
glusterfs (3.8.4), redhat-storage-server (3.2.0.3). (BZ#1362373)
Security Fix(es):
* It was found that glusterfs-server RPM package would write file with
predictable name into world readable /tmp directory. A local attacker could
potentially use this flaw to escalate their privileges to root by modifying
the shell script during the installation of the glusterfs-server package.
(CVE-2015-1795)
This issue was discovered by Florian Weimer of Red Hat Product Security.
Bug Fix(es):
* Bricks remain stopped if server quorum is no longer met, or if server
quorum is disabled, to ensure that bricks in maintenance are not started
incorrectly. (BZ#1340995)
* The metadata cache translator has been updated to improve Red Hat Gluster
Storage performance when reading small files. (BZ#1427783)
* The 'gluster volume add-brick' command is no longer allowed when the
replica count has increased and any replica bricks are unavailable.
(BZ#1404989)
* Split-brain resolution commands work regardless of whether client-side
heal or the self-heal daemon are enabled. (BZ#1403840)
Enhancement(s):
* Red Hat Gluster Storage now provides Transport Layer Security support for
Samba and NFS-Ganesha. (BZ#1340608, BZ#1371475)
* A new reset-sync-time option enables resetting the sync time attribute to
zero when required. (BZ#1205162)
* Tiering demotions are now triggered at most 5 seconds after a
hi-watermark breach event. Administrators can use the
cluster.tier-query-limit volume parameter to specify the number of records
extracted from the heat database during demotion. (BZ#1361759)
* The /var/log/glusterfs/etc-glusterfs-glusterd.vol.log file is now named
/var/log/glusterfs/glusterd.log. (BZ#1306120)
* The 'gluster volume attach-tier/detach-tier' commands are considered
deprecated in favor of the new commands, 'gluster volume tier VOLNAME
attach/detach'. (BZ#1388464)
* The HA_VOL_SERVER parameter in the ganesha-ha.conf file is no longer used
by Red Hat Gluster Storage. (BZ#1348954)
* The volfile server role can now be passed to another server when a server
is unavailable. (BZ#1351949)
* Ports can now be reused when they stop being used by another service.
(BZ#1263090)
* The thread pool limit for the rebalance process is now dynamic, and is
determined based on the number of available cores. (BZ#1352805)
* Brick verification at reboot now uses UUID instead of brick path.
(BZ#1336267)
* LOGIN_NAME_MAX is now used as the maximum length for the slave user
instead of __POSIX_LOGIN_NAME_MAX, allowing for up to 256 characters
including the NULL byte. (BZ#1400365)
* The client identifier is now included in the log message to make it
easier to determine which client failed to connect. (BZ#1333885)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1200927 - CVE-2015-1795 glusterfs: glusterfs-server %pretrans rpm script temporary file issue
1362373 - [RHEL6] Rebase glusterfs at RHGS-3.2.0 release
1375059 - [RHEL-6] Include vdsm and related dependency packages at RHGS 3.2.0 ISO
1382319 - [RHEL6] SELinux prevents FUSE mounting of RDMA transport type volumes
1403587 - [Perf] : pcs cluster resources went into stopped state during Multithreaded perf tests on RHGS layered over RHEL 6
1403919 - [Ganesha] : pcs status is not the same across the ganesha cluster in RHEL 6 environment
1404551 - Lower version of packages subscription-manager, python-rhsm found in RHGS3.2 RHEL6 ISO.
1424944 - [Ganesha] : Unable to bring up a Ganesha HA cluster on RHEL 6.9.
1425748 - [GANESHA] Adding a node to existing ganesha cluster is failing on rhel 6.9
1432972 - /etc/pki/product/69.pem shows version as 6.8 for RHGS3.2.0(6.9)
6. Package List:
Red Hat Gluster Storage Server 3.2 on RHEL-6:
Source:
glusterfs-3.8.4-18.el6rhs.src.rpm
redhat-storage-server-3.2.0.3-1.el6rhs.src.rpm
noarch:
python-gluster-3.8.4-18.el6rhs.noarch.rpm
redhat-storage-server-3.2.0.3-1.el6rhs.noarch.rpm
x86_64:
glusterfs-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-api-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-api-devel-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-cli-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-client-xlators-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-debuginfo-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-devel-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-events-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-fuse-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-ganesha-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-geo-replication-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-libs-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-rdma-3.8.4-18.el6rhs.x86_64.rpm
glusterfs-server-3.8.4-18.el6rhs.x86_64.rpm
Red Hat Storage Native Client for Red Hat Enterprise Linux 6:
Source:
glusterfs-3.8.4-18.el6.src.rpm
noarch:
python-gluster-3.8.4-18.el6.noarch.rpm
x86_64:
glusterfs-3.8.4-18.el6.x86_64.rpm
glusterfs-api-3.8.4-18.el6.x86_64.rpm
glusterfs-api-devel-3.8.4-18.el6.x86_64.rpm
glusterfs-cli-3.8.4-18.el6.x86_64.rpm
glusterfs-client-xlators-3.8.4-18.el6.x86_64.rpm
glusterfs-debuginfo-3.8.4-18.el6.x86_64.rpm
glusterfs-devel-3.8.4-18.el6.x86_64.rpm
glusterfs-fuse-3.8.4-18.el6.x86_64.rpm
glusterfs-libs-3.8.4-18.el6.x86_64.rpm
glusterfs-rdma-3.8.4-18.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-1795
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.2/html/3.2_release_notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFY03feXlSAg2UNWIIRAi0IAKCAPNVKyHaPOco5w6QEeh8tB+oAfgCff5vP
dPfGgxihI4HOWaOS0LIXdPo=
=UX0C
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Gluster Storage 3.2.0 security, bug fix, and enhancement update
Advisory ID: RHSA-2017:0486-01
Product: Red Hat Gluster Storage
Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0486.html
Issue date: 2017-03-23
CVE Names: CVE-2015-1795
=====================================================================
1. Summary:
An update is now available for Red Hat Gluster Storage 3.2 on Red Hat
Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Gluster Storage Server 3.2 on RHEL-7 - noarch, x86_64
Red Hat Storage Native Client for Red Hat Enterprise Linux 7 - noarch, x86_64
3. Description:
Red Hat Gluster Storage is a software only scale-out storage solution that
provides flexible and affordable unstructured data storage. It unifies data
storage and infrastructure, increases performance, and improves
availability and manageability to meet enterprise-level storage challenges.
The following packages have been upgraded to a later upstream version:
glusterfs (3.8.4), redhat-storage-server (3.2.0.2), vdsm (4.17.33).
(BZ#1362376)
Security Fix(es):
* It was found that glusterfs-server RPM package would write file with
predictable name into world readable /tmp directory. A local attacker could
potentially use this flaw to escalate their privileges to root by modifying
the shell script during the installation of the glusterfs-server package.
(CVE-2015-1795)
This issue was discovered by Florian Weimer of Red Hat Product Security.
Bug Fix(es):
* Bricks remain stopped if server quorum is no longer met, or if server
quorum is disabled, to ensure that bricks in maintenance are not started
incorrectly. (BZ#1340995)
* The metadata cache translator has been updated to improve Red Hat Gluster
Storage performance when reading small files. (BZ#1427783)
* The 'gluster volume add-brick' command is no longer allowed when the
replica count has increased and any replica bricks are unavailable.
(BZ#1404989)
* Split-brain resolution commands work regardless of whether client-side
heal or the self-heal daemon are enabled. (BZ#1403840)
Enhancement(s):
* Red Hat Gluster Storage now provides Transport Layer Security support for
Samba and NFS-Ganesha. (BZ#1340608, BZ#1371475)
* A new reset-sync-time option enables resetting the sync time attribute to
zero when required. (BZ#1205162)
* Tiering demotions are now triggered at most 5 seconds after a
hi-watermark breach event. Administrators can use the
cluster.tier-query-limit volume parameter to specify the number of records
extracted from the heat database during demotion. (BZ#1361759)
* The /var/log/glusterfs/etc-glusterfs-glusterd.vol.log file is now named
/var/log/glusterfs/glusterd.log. (BZ#1306120)
* The 'gluster volume attach-tier/detach-tier' commands are considered
deprecated in favor of the new commands, 'gluster volume tier VOLNAME
attach/detach'. (BZ#1388464)
* The HA_VOL_SERVER parameter in the ganesha-ha.conf file is no longer used
by Red Hat Gluster Storage. (BZ#1348954)
* The volfile server role can now be passed to another server when a server
is unavailable. (BZ#1351949)
* Ports can now be reused when they stop being used by another service.
(BZ#1263090)
* The thread pool limit for the rebalance process is now dynamic, and is
determined based on the number of available cores. (BZ#1352805)
* Brick verification at reboot now uses UUID instead of brick path.
(BZ#1336267)
* LOGIN_NAME_MAX is now used as the maximum length for the slave user
instead of __POSIX_LOGIN_NAME_MAX, allowing for up to 256 characters
including the NULL byte. (BZ#1400365)
* The client identifier is now included in the log message to make it
easier to determine which client failed to connect. (BZ#1333885)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1168606 - [USS]: setting the uss option to on fails when volume is in stopped state
1200927 - CVE-2015-1795 glusterfs: glusterfs-server %pretrans rpm script temporary file issue
1205162 - [georep]: If a georep session is recreated the existing files which are deleted from slave doesn't get sync again from master
1211845 - glusterd: response not aligned
1240333 - [geo-rep]: original directory and renamed directory both at the slave after rename on master
1241314 - when enable-shared-storage is enabled, volume get still shows that the option is disabled
1245084 - [RFE] changes needed in snapshot info command's xml output.
1248998 - [AFR]: Files not available in the mount point after converting Distributed volume type to Replicated one.
1256483 - Unreleased packages in RHGS 3.1 AMI [RHEL 7]
1256524 - [RFE] reset brick
1257182 - Rebalance is not considering the brick sizes while fixing the layout
1258267 - 1 mkdir generates tons of log messages from dht xlator
1263090 - glusterd: add brick command should re-use the port for listening which is freed by remove-brick.
1264310 - DHT: Rebalance hang while migrating the files of disperse volume
1278336 - nfs client I/O stuck post IP failover
1278385 - Data Tiering:Detach tier operation should be resilient(continue) when the volume is restarted
1278394 - gluster volume status xml output of tiered volume has all the common services tagged under <coldBricks>
1278900 - check_host_list() should be more robust
1284873 - Poor performance of directory enumerations over SMB
1286038 - glusterd process crashed while setting the option "cluster.extra-hash-regex"
1286572 - [FEAT] DHT - rebalance - rebalance status o/p should be different for 'fix-layout' option, it should not show 'Rebalanced-files' , 'Size', 'Scanned' etc as it is not migrating any files.
1294035 - gluster fails to propagate permissions on the root of a gluster export when adding bricks
1296796 - [DHT]: Rebalance info for remove brick operation is not showing after glusterd restart
1298118 - Unable to get the client statedump, as /var/run/gluster directory is not available by default
1299841 - [tiering]: Files of size greater than that of high watermark level should not be promoted
1306120 - [GSS] [RFE] Change the glusterd log file name to glusterd.log
1306656 - [GSS] - Brick ports changed after configuring I/O and management encryption
1312199 - [RFE] quota: enhance quota enable and disable process
1315544 - [GSS] -Gluster NFS server crashing in __mnt3svc_umountall
1317653 - EINVAL errors while aggregating the directory size by quotad
1318000 - [GSS] - Glusterd not operational due to snapshot conflicting with nfs-ganesha export file in "/var/lib/glusterd/snaps"
1319078 - files having different Modify and Change date on replicated brick
1319886 - gluster volume info --xml returns 0 for nonexistent volume
1324053 - quota/cli: quota list with path not working when limit is not set
1325821 - gluster snap status xml output shows incorrect details when the snapshots are in deactivated state
1326066 - [hc][selinux] AVC denial messages seen in audit.log while starting the volume in HCI environment
1327952 - rotated FUSE mount log is using to populate the information after log rotate.
1328451 - observing " Too many levels of symbolic links" after adding bricks and then issuing a replace brick
1332080 - [geo-rep+shard]: Files which were synced to slave before enabling shard doesn't get sync/remove upon modification
1332133 - glusterd + bitrot : unable to create clone of snapshot. error "xlator.c:148:xlator_volopt_dynload] 0-xlator: /usr/lib64/glusterfs/3.7.9/xlator/features/bitrot.so: cannot open shared object file:
1332542 - Tiering related core observed with "uuid_is_null () message".
1333406 - [HC]: After bringing down and up of the bricks VM's are getting paused
1333484 - slow readdir performance in SMB clients
1333749 - glusterd: glusterd provides stale port information when a volume is recreated with same brick path
1333885 - client ID should logged when SSL connection fails
1334664 - Excessive errors messages are seen in hot tier's brick logs in a tiered volume
1334858 - [Perf] : ls-l is not as performant as it used to be on older RHGS builds
1335029 - set errno in case of inode_link failures
1336267 - [scale]: Bricks not started after node reboot.
1336339 - Sequential volume start&stop is failing with SSL enabled setup.
1336377 - Polling failure errors getting when volume is started&stopped with SSL enabled setup.
1336764 - Bricks doesn't come online after reboot [ Brick Full ]
1337391 - [Bitrot] Need a way to set scrub interval to a minute, for ease of testing
1337444 - [Bitrot]: Scrub status- Certain fields continue to show previous run's details, even if the current run is in progress
1337450 - [Bitrot+Sharding] Scrub status shows incorrect values for 'files scrubbed' and 'files skipped'
1337477 - [Volume Scale] Volume start failed with "Error : Request timed out" after successfully creating & starting around 290 gluster volumes using heketi-cli
1337495 - [Volume Scale] gluster node randomly going to Disconnected state after scaling to more than 290 gluster volumes
1337565 - "nfs-grace-monitor" timed out messages observed
1337811 - [GSS] - enabling glusternfs with nfs.rpc-auth-allow to many hosts failed
1337836 - [Volume Scale] heketi-cli should not attempt to stop and delete a volume as soon as it receives a CLI timeout (120sec) but instead wait until the frame-timeout of 600sec
1337863 - [SSL] : I/O hangs when run from multiple clients on an SSL enabled volume
1338615 - [SSL] : gluster v set help does not show ssl options
1338748 - SAMBA : Error and warning messages related to xlator/features/snapview-client.so adding up to the windows client log on performing IO operations
1339159 - [geo-rep]: Worker died with [Errno 2] No such file or directory
1340338 - "volume status inode" command is getting timed out if number of files are more in the mount point
1340608 - [RFE] : Support SSL enabled volume via SMB v3
1340756 - [geo-rep]: AttributeError: 'Popen' object has no attribute 'elines'
1340995 - Bricks are starting when server quorum not met.
1341934 - [Bitrot]: Recovery fails of a corrupted hardlink (and the corresponding parent file) in a disperse volume
1342459 - [Bitrot]: Sticky bit files considered and skipped by the scrubber, instead of getting ignored.
1343178 - [Stress/Scale] : I/O errors out from gNFS mount points during high load on an erasure coded volume,Logs flooded with Error messages.
1343320 - [GSS] Gluster fuse client crashed generating core dump
1343695 - [Disperse] : Assertion Failed Error messages in rebalance log post add-brick/rebalance.
1344322 - [geo-rep]: Worker crashed with OSError: [Errno 9] Bad file descriptor
1344651 - tiering : Multiple brick processes crashed on tiered volume while taking snapshots
1344675 - Stale file handle seen on the mount of dist-disperse volume when doing IOs with nfs-ganesha protocol
1344826 - [geo-rep]: Worker crashed with "KeyError: "
1344908 - [geo-rep]: If the data is copied from .snaps directory to the master, it doesn't get sync to slave [First Copy]
1345732 - SAMBA-DHT : Crash seen while rename operations in cifs mount and windows access of share mount
1347251 - fix the issue of Rolling upgrade or non-disruptive upgrade of disperse or erasure code volume to work
1347257 - spurious heal info as pending heal entries never end on an EC volume while IOs are going on
1347625 - [geo-rep] Stopped geo-rep session gets started automatically once all the master nodes are upgraded
1347922 - nfs-ganesha disable doesn't delete nfs-ganesha folder from /var/run/gluster/shared_storage
1347923 - ganesha.enable remains on in volume info file even after we disable nfs-ganesha on the cluster.
1348949 - ganesha/scripts : [RFE] store volume related configuration in shared storage
1348954 - ganesha/glusterd : remove 'HA_VOL_SERVER' from ganesha-ha.conf
1348962 - ganesha/scripts : copy modified export file during refresh-config
1351589 - [RFE] Eventing for Gluster
1351732 - gluster volume status <volume> client" isn't showing any information when one of the nodes in a 3-way Distributed-Replicate volume is shut down
1351825 - yum groups install RH-Gluster-NFS-Ganesha fails due to outdated nfs-ganesha-nullfs
1351949 - management connection loss when volfile-server goes down
1352125 - Error: quota context not set inode (gfid:nnn) [Invalid argument]
1352805 - [GSS] Rebalance crashed
1353427 - [RFE] CLI to get local state representation for a cluster
1354260 - quota : rectify quota-deem-statfs default value in gluster v set help command
1356058 - glusterd doesn't scan for free ports from base range (49152) if last allocated port is greater than base port
1356804 - Healing of one of the file not happened during upgrade from 3.0.4 to 3.1.3 ( In-service )
1359180 - Make client.io-threads enabled by default
1359588 - [Bitrot - RFE]: On demand scrubbing option to scrub
1359605 - [RFE] Simplify Non Root Geo-replication Setup
1359607 - [RFE] Non root Geo-replication Error logs improvements
1359619 - [GSS]"gluster vol status all clients --xml" get malformed at times, causes gstatus to fail
1360807 - [RFE] Generate events in GlusterD
1360978 - [RFE]Reducing number of network round trips
1361066 - [RFE] DHT Events
1361068 - [RFE] Tier Events
1361078 - [ RFE] Quota Events
1361082 - [RFE]: AFR events
1361084 - [RFE]: EC events
1361086 - [RFE]: posix events
1361098 - Feature: Entry self-heal performance enhancements using more granular changelogs
1361101 - [RFE] arbiter for 3 way replication
1361118 - [RFE] Geo-replication Events
1361155 - Upcall related events
1361170 - [Bitrot - RFE]: Bitrot Events
1361184 - [RFE] Provide snapshot events for the new eventing framework
1361513 - EC: Set/unset dirty flag for all the update operations
1361519 - [Disperse] dd + rm + ls lead to IO hang
1362376 - [RHEL7] Rebase glusterfs at RHGS-3.2.0 release
1364422 - [libgfchangelog]: If changelogs are not available for the requested time range, no distinguished error
1364551 - GlusterFS lost track of 7,800+ file paths preventing self-heal
1366128 - "heal info --xml" not showing the brick name of offline bricks.
1367382 - [RFE]: events from protocol server
1367472 - [GSS]Quota version not changing in the quota.conf after upgrading to 3.1.1 from 3.0.x
1369384 - [geo-replication]: geo-rep Status is not showing bricks from one of the nodes
1369391 - configuration file shouldn't be marked as executable and systemd complains for it
1370350 - Hosted Engine VM paused post replace-brick operation
1371475 - [RFE] : Support SSL enabled volume via NFS Ganesha
1373976 - [geo-rep]: defunct tar process while using tar+ssh sync
1374166 - [GSS]deleted file from nfs-ganesha export goes in to .glusterfs/unlink in RHGS 3.1.3
1375057 - [RHEL-7]Include vdsm and related dependency packages at RHGS 3.2.0 ISO
1375465 - [RFE] Implement multi threaded self-heal for ec volumes
1376464 - [RFE] enable sharding with virt profile - /var/lib/glusterd/groups/virt
1377062 - /var/tmp/rpm-tmp.KPCugR: line 2: /bin/systemctl: No such file or directory
1377387 - glusterd experiencing repeated connect/disconnect messages when shd is down
1378030 - glusterd fails to start without installing glusterfs-events package
1378131 - [GSS] - Recording (ffmpeg) processes on FUSE get hung
1378300 - Modifications to AFR Events
1378342 - Getting "NFS Server N/A" entry in the volume status by default.
1378484 - warning messages seen in glusterd logs for each 'gluster volume status' command
1378528 - [SSL] glustershd disconnected from glusterd
1378676 - "transport.address-family: inet" option is not showing in the Vol info for 3.1.3 volume after updating to 3.2.
1378677 - "nfs.disable: on" is not showing in Vol info by default for the 3.1.3 volumes after updating to 3.2
1378867 - Poor smallfile read performance on Arbiter volume compared to Replica 3 volume
1379241 - qemu-img segfaults while creating qcow2 image on the gluster volume using libgfapi
1379919 - VM errors out while booting from the image on gluster replica 3 volume with compound fops enabled
1379924 - gfapi: Fix fd ref leaks
1379963 - [SELinux] [Eventing]: gluster-eventsapi shows a traceback while adding a webhook
1379966 - Volume restart couldn't re-export the volume exported via ganesha.
1380122 - Labelled geo-rep checkpoints hide geo-replication status
1380257 - [RFE] eventsapi/georep: Events are not available for Checkpoint and Status Change
1380276 - Poor write performance with arbiter volume after enabling sharding on arbiter volume
1380419 - gNFS: Revalidate lookup of a file in case of gfid mismatch
1380605 - Error and warning message getting while removing glusterfs-events-3.8.4-2 package
1380619 - Ganesha crashes with segfault while doing refresh-config with 3.2 builds.
1380638 - Files not being opened with o_direct flag during random read operation (Glusterfs 3.8.2)
1380655 - Continuous errors getting in the mount log when the volume mount server glusterd is down.
1380710 - invalid argument warning messages seen in fuse client logs 2016-09-30 06:34:58.938667] W [dict.c:418ict_set] (-->/usr/lib64/glusterfs/3.8.4/xlator/cluster/replicate.so(+0x58722) 0-dict: !this || !value for key=link-count [Invalid argument]
1380742 - Some tests in pynfs test suite fails with latest 3.2 builds.
1381140 - OOM kill of glusterfs fuse mount process seen on both the clients with one doing rename and the other doing delete of same files
1381353 - Ganesha crashes on volume restarts
1381452 - OOM kill of nfs-ganesha on one node while fs-sanity test suite is executed.
1381822 - glusterd.log is flooded with socket.management: accept on 11 failed (Too many open files) and glusterd service stops
1381831 - dom_md/ids is always reported in the self-heal info
1381968 - md-cache: Invalidate cache entry in case of OPEN with O_TRUNC
1382065 - SAMBA-ClientIO-Thread : Samba crashes with segfault while doing multiple mount & unmount of volume share with 3.2 builds
1382277 - Incorrect volume type in the "glusterd_state" file generated using CLI "gluster get-state"
1382345 - [RHEL7] SELinux prevents starting of RDMA transport type volumes
1384070 - inconsistent file permissions b/w write permission and sticky bits(---------T ) displayed when IOs are going on with md-cache enabled (and within the invalidation cycle)
1384311 - [Eventing]: 'gluster vol bitrot <volname> scrub ondemand' does not produce an event
1384316 - [Eventing]: Events not seen when command is triggered from one of the peer nodes
1384459 - Track the client that performed readdirp
1384460 - segment fault while join thread reaper_thr in fini()
1384481 - [SELinux] Snaphsot : Seeing AVC denied messages generated when snapshot and clones are created
1384865 - USS: Snapd process crashed ,doing parallel clients operations
1384993 - refresh-config fails and crashes ganesha when mdcache is enabled on the volume.
1385468 - During rebalance continuous "table not found" warning messages are seen in rebalance logs
1385474 - [granular entry sh] - Provide a CLI to enable/disable the feature that checks that there are no heals pending before allowing the operation
1385525 - Continuous warning messages getting when one of the cluster node is down on SSL setup.
1385561 - [Eventing]: BRICK_CONNECTED and BRICK_DISCONNECTED events seen at every heartbeat when a brick-is-killed/volume-stopped
1385605 - fuse mount point not accessible
1385606 - 4 of 8 bricks (2 dht subvols) crashed on systemic setup
1386127 - Remove-brick status output is showing status of fix-layout instead of original remove-brick status output
1386172 - [Eventing]: UUID is showing zeros in the event message for the peer probe operation.
1386177 - SMB[md-cache]:While multiple connect and disconnect of samba share hang is seen and other share becomes inaccessible
1386185 - [Eventing]: 'gluster volume tier <volname> start force' does not generate a TIER_START event
1386280 - Rebase of redhat-release-server to that of RHEL-7.3
1386366 - The FUSE client log is filling up with posix_acl_default and posix_acl_access messages
1386472 - [Eventing]: 'VOLUME_REBALANCE' event messages have an incorrect volume name
1386477 - [Eventing]: TIER_DETACH_FORCE and TIER_DETACH_COMMIT events seen even after confirming negatively
1386538 - pmap_signin event fails to update brickinfo->signed_in flag
1387152 - [Eventing]: Random VOLUME_SET events seen when no operation is done on the gluster cluster
1387204 - [md-cache]: All bricks crashed while performing symlink and rename from client at the same time
1387205 - SMB:[MD-Cache]:while connecting and disconnecting samba share multiple times from a windows client , saw multiple crashes
1387501 - Asynchronous Unsplit-brain still causes Input/Output Error on system calls
1387544 - [Eventing]: BRICK_DISCONNECTED events seen when a tier volume is stopped
1387558 - libgfapi core dumps
1387563 - [RFE]: md-cache performance enhancement
1388464 - throw warning to show that older tier commands are depricated and will be removed.
1388560 - I/O Errors seen while accessing VM images on gluster volumes using libgfapi
1388711 - Needs more testings of rebalance for the distributed-dispersed volume
1388734 - glusterfs can't self heal character dev file for invalid dev_t parameters
1388755 - Checkpoint completed event missing master node detail
1389168 - glusterd: Display proper error message and fail the command if S32gluster_enable_shared_storage.sh hook script is not present during gluster volume set all cluster.enable-shared-storage <enable/disable> command
1389422 - SMB[md-cache Private Build]:Error messages in brick logs related to upcall_cache_invalidate gf_uuid_is_null
1389661 - Refresh config fails while exporting subdirectories within a volume
1390843 - write-behind: flush stuck by former failed write
1391072 - SAMBA : Unable to play video files in samba share mounted over windows system
1391093 - [Samba-Crash] : Core logs were generated while working on random IOs
1391808 - [setxattr_cbk] "Permission denied" warning messages are seen in logs while running pjd-fstest suite
1392299 - [SAMBA-mdcache]Read hungs and leads to disconnect of samba share while creating IOs from one client & reading from another client
1392761 - During sequential reads backtraces are seen leading to IO hung
1392837 - A hard link is lost during rebalance+lookup
1392895 - Failed to enable nfs-ganesha after disabling nfs-ganesha cluster
1392899 - stat of file is hung with possible deadlock
1392906 - Input/Output Error seen while running iozone test on nfs-ganesha+mdcache enabled volume.
1393316 - OOM Kill on client when heal is in progress on 1*(2+1) arbiter volume
1393526 - [Ganesha] : Ganesha crashes intermittently during nfs-ganesha restarts.
1393694 - The directories get renamed when data bricks are offline in 4*(2+1) volume
1393709 - [Compound FOPs] Client side IObuff leaks at a high pace consumes complete client memory and hence making gluster volume inaccessible
1393758 - I/O errors on FUSE mount point when reading and writing from 2 clients
1394219 - Better logging when reporting failures of the kind "<file-path> Failing MKNOD as quorum is not met"
1394752 - Seeing error messages [snapview-client.c:283:gf_svc_lookup_cbk] and [dht-helper.c:1666ht_inode_ctx_time_update] (-->/usr/lib64/glusterfs/3.8.4/xlator/cluster/replicate.so(+0x5d75c)
1395539 - ganesha-ha.conf --status should validate if the VIPs are assigned to right nodes
1395541 - Lower version of package "redhat-release-server" is present in the RHEL7 RHGS3.2 ISO
1395574 - netstat: command not found message is seen in /var/log/messages when IO's are running.
1395603 - [RFE] JSON output for all Events CLI commands
1395613 - Delayed Events if any one Webhook is slow
1396166 - self-heal info command hangs after triggering self-heal
1396361 - Scheduler : Scheduler should not depend on glusterfs-events package
1396449 - [SAMBA-CIFS] : IO hungs in cifs mount while graph switch on & off
1397257 - capture volume tunables in get-state dump
1397267 - File creation fails with Input/output error + FUSE logs throws "invalid argument: inode [Invalid argument]"
1397286 - Wrong value in Last Synced column during Hybrid Crawl
1397364 - [compound FOPs]: file operation hangs with compound fops
1397430 - PEER_REJECT, EVENT_BRICKPATH_RESOLVE_FAILED, EVENT_COMPARE_FRIEND_VOLUME_FAILED are not seen
1397450 - NFS-Ganesha:Volume reset for any option causes reset of ganesha enable option and bring down the ganesha services
1397681 - [Eventing]: EVENT_POSIX_HEALTH_CHECK_FAILED event not seen when brick underlying filesystem crashed
1397846 - [Compound FOPS]: seeing lot of brick log errors saying matching lock not found for unlock
1398188 - [Arbiter] IO's Halted and heal info command hung
1398257 - [GANESHA] Export ID changed during volume start and stop with message "lookup_export failed with Export id not found" in ganesha.log
1398261 - After ganesha node reboot/shutdown, portblock process goes to FAILED state
1398311 - [compound FOPs]:in replica pair one brick is down the other Brick process and fuse client process consume high memory at a increasing pace
1398315 - [compound FOPs]: Memory leak while doing FOPs with brick down
1398331 - With compound fops on, client process crashes when a replica is brought down while IO is in progress
1398798 - [Ganesha+SSL] : Ganesha crashes on all nodes on volume restarts
1399100 - GlusterFS client crashes during remove-brick operation
1399105 - possible memory leak on client when writing to a file while another client issues a truncate
1399476 - IO got hanged while doing in-service update from 3.1.3 to 3.2
1399598 - [USS,SSL] .snaps directory is not reachable when I/O encryption (SSL) is enabled
1399698 - AVCs seen when ganesha cluster nodes are rebooted
1399753 - "Insufficient privileges" messages observed in pcs status for nfs_unblock resource agent [RHEL7]
1399757 - Ganesha services are not stopped when pacemaker quorum is lost
1400037 - [Arbiter] Fixed layout failed on the volume after remove-brick while rmdir is progress
1400057 - self-heal not happening, as self-heal info lists the same pending shards to be healed
1400068 - [GANESHA] Adding a node to cluster failed to allocate resource-agents to new node.
1400093 - ls and move hung on disperse volume
1400395 - Memory leak in client-side background heals.
1400599 - [GANESHA] failed to create directory of hostname of new node in var/lib/nfs/ganesha/ in already existing cluster nodes
1401380 - [Compound FOPs] : Memory leaks while doing deep directory creation
1401806 - [GANESHA] Volume restart(stop followed by start) does not reexporting the volume
1401814 - [Arbiter] Directory lookup failed with 11(EAGAIN) leading to rebalance failure
1401817 - glusterfsd crashed while taking snapshot using scheduler
1401869 - Rebalance not happened, which triggered after adding couple of bricks.
1402360 - CTDB:NFS: CTDB failover doesn't work because of SELinux AVC's
1402683 - Installation of latest available RHGS3.2 RHEL7 ISO is failing with error in the "SOFTWARE SELECTION"
1402774 - Snapshot: Snapshot create command fails when gluster-shared-storage volume is stopped
1403120 - Files remain unhealed forever if shd is disabled and re-enabled while healing is in progress.
1403672 - Snapshot: After snapshot restore failure , snapshot goes into inconsistent state
1403770 - Incorrect incrementation of volinfo refcnt during volume start
1403840 - [GSS]xattr 'replica.split-brain-status' shows the file is in data-splitbrain but "heal split-brain latest-mtime" fails
1404110 - [Eventing]: POSIX_SAME_GFID event seen for .trashcan folder and .trashcan/internal_op
1404541 - Found lower version of packages "python-paramiko", "python-httplib2" and "python-netifaces" in the latest RHGS3.2 RHEL7 ISO.
1404569 - glusterfs-rdma package is not pulled while doing layered installation of RHGS 3.2 on RHEL7 and not present in RHGS RHEL7 ISO also by default and vdsm-cli pkg not pulled during lay.. Installation
1404633 - GlusterFS process crashed after add-brick
1404982 - VM pauses due to storage I/O error, when one of the data brick is down with arbiter volume/replica volume
1404989 - Fail add-brick command if replica count changes
1404996 - gNFS: nfs.disable option to be set to off on existing volumes after upgrade to 3.2 and on for new volumes on 3.2
1405000 - Remove-brick rebalance failed while rm -rf is in progress
1405299 - fuse mount crashed when VM installation is in progress & one of the brick killed
1405302 - vm does not boot up when first data brick in the arbiter volume is killed.
1406025 - [GANESHA] Deleting a node from ganesha cluster deletes the volume entry from /etc/ganesha/ganesha.conf file
1406322 - repeated operation failed warnings in gluster mount logs with disperse volume
1406401 - [GANESHA] Adding node to ganesha cluster is not assigning the correct VIP to the new node
1406723 - [Perf] : significant Performance regression seen with disperse volume when compared with 3.1.3
1408112 - [Arbiter] After Killing a brick writes drastically slow down
1408413 - [ganesha + EC]posix compliance rename tests failed on EC volume with nfs-ganesha mount.
1408426 - with granular-entry-self-heal enabled i see that there is a gfid mismatch and vm goes to paused state after migrating to another host
1408576 - [Ganesha+SSL] : Bonnie++ hangs during rewrites.
1408639 - [Perf] : Sequential Writes are off target by 12% on EC backed volumes over FUSE
1408641 - [Perf] : Sequential Writes have regressed by ~25% on EC backed volumes over SMB3
1408655 - [Perf] : mkdirs are 85% slower on EC
1408705 - [GNFS+EC] Cthon failures/issues with Lock/Special Test cases on disperse volume with GNFS mount
1408836 - [ganesha+ec]: Contents of original file are not seen when hardlink is created
1409135 - [Replicate] "RPC call decoding failed" leading to IO hang & mount inaccessible
1409472 - brick crashed on systemic setup due to eventing regression
1409563 - [SAMBA-SSL] Volume Share hungs when multiple mount & unmount is performed over a windows client on a SSL enabled cluster
1409782 - NFS Server is not coming up for the 3.1.3 volume after updating to 3.2.0 ( latest available build )
1409808 - [Mdcache] clients being served wrong information about a file, can lead to file inconsistency
1410025 - Extra lookup/fstats are sent over the network when a brick is down.
1410406 - ganesha service crashed on all nodes of ganesha cluster on disperse volume when doing lookup while copying files remotely using scp
1411270 - [SNAPSHOT] With all USS plugin enable .snaps directory is not visible in cifs mount as well as windows mount
1411329 - OOM kill of glusterfsd during continuous add-bricks
1411617 - Spurious split-brain error messages are seen in rebalance logs
1412554 - [RHV-RHGS]: Application VM paused after add brick operation and VM didn't comeup after power cycle.
1412955 - Quota: After upgrade from 3.1.3 to 3.2 , gluster quota list command shows "No quota configured on volume repvol"
1413351 - [Scale] : Brick process oom-killed and rebalance failed.
1413513 - glusterfind: After glusterfind pre command execution all temporary files and directories /usr/var/lib/misc/glusterfsd/glusterfind/<session>/<volume>/ should be removed
1414247 - client process crashed due to write behind translator
1414663 - [GANESHA] Cthon lock test case is failing on nfs-ganesha mounted Via V3
1415101 - glustershd process crashed on systemic setup
1415583 - [Stress] : SHD Logs flooded with "Heal Failed" messages,filling up "/" quickly
1417177 - Split brain resolution must check for all the bricks to be up to avoiding serving of inconsistent data(visible on x3 or more)
1417955 - [RFE] Need to have group cli option to set all md-cache options using a single command
1418011 - [RFE] disable client.io-threads on replica volume creation
1418603 - Lower version packages ( heketi, libtiff ) present in RHGS3.2.0 RHEL7 ISO.
1418901 - Include few more options in virt file
1419859 - [Perf] : Renames are off target by 28% on EC FUSE mounts
1420324 - [GSS] The bricks once disconnected not connects back if SSL is enabled
1420635 - Modified volume options not synced once offline nodes comes up.
1422431 - multiple glusterfsd process crashed making the complete subvolume unavailable
1422576 - [RFE]: provide an cli option to reset the stime while deleting the geo-rep session
1425740 - Disconnects in nfs mount leads to IO hang and mount inaccessible
1426324 - common-ha: setup after teardown often fails
1426559 - heal info is not giving correct output
1427783 - Improve read performance on tiered volumes
6. Package List:
Red Hat Gluster Storage Server 3.2 on RHEL-7:
Source:
glusterfs-3.8.4-18.el7rhgs.src.rpm
redhat-storage-server-3.2.0.2-1.el7rhgs.src.rpm
vdsm-4.17.33-1.1.el7rhgs.src.rpm
noarch:
python-gluster-3.8.4-18.el7rhgs.noarch.rpm
redhat-storage-server-3.2.0.2-1.el7rhgs.noarch.rpm
vdsm-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-cli-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-debug-plugin-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-gluster-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-hook-ethtool-options-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-hook-faqemu-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-hook-openstacknet-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-hook-qemucmdline-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-infra-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-jsonrpc-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-python-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-tests-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-xmlrpc-4.17.33-1.1.el7rhgs.noarch.rpm
vdsm-yajsonrpc-4.17.33-1.1.el7rhgs.noarch.rpm
x86_64:
glusterfs-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-api-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-api-devel-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-cli-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-client-xlators-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-debuginfo-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-devel-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-events-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-fuse-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-ganesha-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-geo-replication-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-libs-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-rdma-3.8.4-18.el7rhgs.x86_64.rpm
glusterfs-server-3.8.4-18.el7rhgs.x86_64.rpm
Red Hat Storage Native Client for Red Hat Enterprise Linux 7:
Source:
glusterfs-3.8.4-18.el7.src.rpm
noarch:
python-gluster-3.8.4-18.el7.noarch.rpm
x86_64:
glusterfs-3.8.4-18.el7.x86_64.rpm
glusterfs-api-3.8.4-18.el7.x86_64.rpm
glusterfs-api-devel-3.8.4-18.el7.x86_64.rpm
glusterfs-cli-3.8.4-18.el7.x86_64.rpm
glusterfs-client-xlators-3.8.4-18.el7.x86_64.rpm
glusterfs-debuginfo-3.8.4-18.el7.x86_64.rpm
glusterfs-devel-3.8.4-18.el7.x86_64.rpm
glusterfs-fuse-3.8.4-18.el7.x86_64.rpm
glusterfs-libs-3.8.4-18.el7.x86_64.rpm
glusterfs-rdma-3.8.4-18.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-1795
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.2/html/3.2_release_notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFY03g6XlSAg2UNWIIRAjWOAJ0UTc4GcDXKGwXruZfKnxgtk1Me0gCdHAN5
0LfDqpcqxs8oTpS7jVq/hXg=
=xR1v
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWNRfh4x+lLeg9Ub1AQga7Q/+KM2Sn1oEi7vB1SGDsIilk/LiYBU8uW2M
Klk6Kh71X1Wl6k5gTHvP6YqnKFZHoOv6vGO1sp++xdR9aogODF8ajidT5GR17Pic
Nj2YT6S/XiR4jV8KX5K9hXwZTgFsqCqVf97snTmuZWZC9upRbsvB4Mhawx3M2NXO
F6eiBxnh5wVf7lSD54qBi65eUkTh4bk7jNDlXPkWkUX42SUFRStGE6URa7v7KVqa
Nyy0jjkTvazWgRjJr6IffdZUg3SAYSBarPfXxiWQehvL/BVgKuZIZK+LLPZ+AXj9
1tV0ttILGAX4dhAOLuFmEfLU6YZqr7Q7i8R1V+BqhPTAFjQbzjUnOnyO1mqSJSo6
qx9dGVuupmr4ZNGSNk9ZmKrEfu8VGaGxcaT+gSSD+DL5sbMHO91XCBap2N3/pclI
S0YdWSzF1UB5C4ELo5mZEyVG3l0JIhs6VIybbj6Q66eEB/rh0+dXDKKVIa+5v+Dt
nbl3okU9AjeQlKy5PAax87KmihKUzVs/8Gb5+cBJfJC6113bRbfCfxvHzM79vid5
JGakmp4ZhF+c0PzCAyP5ZDeEBcgFsCgEmNHdmXxjR4Bh1mNXVCNeQWl5M356JniY
GkQn80UGsNA96Mzhs5GgYdNDnjG1BeVih8K6jfQd8RzUWz7QgXYtZhUGFS431TuU
3XL/WjKvOCs=
=7NMp
-----END PGP SIGNATURE-----