[Git][security-tracker-team/security-tracker][master] Add CVE-2018-1112 and expand notes for CVE-2018-1088

Salvatore Bonaccorso carnil at debian.org
Wed Apr 25 07:20:14 BST 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
23b5a9c8 by Salvatore Bonaccorso at 2018-04-25T08:19:49+02:00
Add CVE-2018-1112 and expand notes for CVE-2018-1088

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -24989,8 +24989,10 @@ CVE-2018-1114
 	RESERVED
 CVE-2018-1113
 	RESERVED
-CVE-2018-1112
+CVE-2018-1112 [glusterfs: auth.allow allows unauthenticated clients to mount gluster volumes (CVE-2018-1088 regression)]
 	RESERVED
+	- glusterfs <not-affected> (Fix for CVE-2018-1088 was not applied/ incomplete fix not applied)	
+	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1570891
 CVE-2018-1111
 	RESERVED
 CVE-2018-1110 [Improper Input Validation]
@@ -25084,6 +25086,10 @@ CVE-2018-1088 (A privilege escalation flaw was found in gluster 3.x snapshot ...
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1558721
 	NOTE: https://review.gluster.org/#/c/19899/
 	NOTE: https://review.gluster.org/#/c/19898/
+	NOTE: When fixing the issue it's important to not apply the incomplete fix and open
+	NOTE: CVE-2018-1112 causing that auth.allow allows all clients to mount volumes.
+	NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1570891
+	NOTE: Needs: https://review.gluster.org/#/c/19899/1..2
 CVE-2018-1087
 	RESERVED
 CVE-2018-1086 (pcs before versions 0.9.164 and 0.10 is vulnerable to a debug ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23b5a9c826749a02aa637f5518ca20b24a19ef3b

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/23b5a9c826749a02aa637f5518ca20b24a19ef3b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180425/a807dc9d/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list