Heketi v5.0.1 is now available.
This release[1] fixes a flaw that was found in heketi API that permits issuing of OS commands through specially crafted requests, possibly leading to escalation of privileges. More details can be obtained at CVE-2017-15103. [2] If authentication is turned "on" in heketi configuration, the flaw can be exploited only by those who possess authentication key. In case you have a deployment without authentication set to true, we recommend that you turn it on and also upgrade to version with fix. We thank Markus Krell of NTT Security for identifying the vulnerability and notifying us about the it. The fix was provided by Raghavendra Talur of Red Hat. Note that previous versions of Heketi are discontinued and users are strongly recommended to upgrade to Heketi 5.0.1. Michael Adam on behalf of the Heketi team [1] https://github.com/heketi/heketi/releases/tag/v5.0.1 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15103
signature.asc
Description: PGP signature
_______________________________________________ heketi-devel mailing list heketi-devel@gluster.org http://lists.gluster.org/mailman/listinfo/heketi-devel
