* [m-c-s][PATCH 1/2] glusterfs: fix CVE-2018-1088
@ 2018-09-13 8:58 Chen Qi
2018-09-13 8:58 ` [m-c-s][PATCH 2/2] glusterfs: fix CVE-2018-10841 Chen Qi
0 siblings, 1 reply; 3+ messages in thread
From: Chen Qi @ 2018-09-13 8:58 UTC (permalink / raw)
To: meta-virtualization
Backport patches to fix the following CVE.
CVE: CVE-2018-1088
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
...age-Prevent-mounting-shared-storage-from-.patch | 70 ++++++
...auth-add-option-for-strict-authentication.patch | 280 +++++++++++++++++++++
recipes-extended/glusterfs/glusterfs.inc | 2 +
3 files changed, 352 insertions(+)
create mode 100644 recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
create mode 100644 recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
diff --git a/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
new file mode 100644
index 0000000..0e24c56
--- /dev/null
+++ b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
@@ -0,0 +1,70 @@
+From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001
+From: Mohammed Rafi KC <rkavunga@redhat.com>
+Date: Mon, 26 Mar 2018 20:27:34 +0530
+Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from
+ non-trusted client
+
+gluster shared storage is a volume used for internal storage for
+various features including ganesha, geo-rep, snapshot.
+
+So this volume should not be exposed to the client, as it is
+a special volume for internal use.
+
+This fix wont't generate non trusted volfile for shared storage volume.
+
+Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c
+fixes: bz#1568844
+BUG: 1568844
+Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
+
+Upstream-Status: Backport
+Fix CVE-2018-1088
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+
+---
+ xlators/mgmt/glusterd/src/glusterd-volgen.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
+index 0a0668e..308c41f 100644
+--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
++++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
+@@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
+ int i = 0;
+ int ret = -1;
+ char filepath[PATH_MAX] = {0,};
++ char *volname = NULL;
+ char *types[] = {NULL, NULL, NULL};
+ dict_t *dict = NULL;
+ xlator_t *this = NULL;
+@@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
+
+ this = THIS;
+
++ volname = volinfo->is_snap_volume ?
++ volinfo->parent_volname : volinfo->volname;
++
++
++ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
++ client_type != GF_CLIENT_TRUSTED) {
++ /*
++ * shared storage volume cannot be mounted from non trusted
++ * nodes. So we are not creating volfiles for non-trusted
++ * clients for shared volumes as well as snapshot of shared
++ * volumes.
++ */
++
++ ret = 0;
++ gf_msg_debug ("glusterd", 0, "Skipping the non-trusted volfile"
++ "creation for shared storage volume. Volume %s",
++ volname);
++ goto out;
++ }
++
+ enumerate_transport_reqs (volinfo->transport_type, types);
+ dict = dict_new ();
+ if (!dict)
+--
+2.7.4
+
diff --git a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
new file mode 100644
index 0000000..8947f27
--- /dev/null
+++ b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
@@ -0,0 +1,280 @@
+From a74ab3ab169add1e86aae0a99855211b948be021 Mon Sep 17 00:00:00 2001
+From: Mohammed Rafi KC <rkavunga@redhat.com>
+Date: Mon, 2 Apr 2018 12:20:47 +0530
+Subject: [PATCH 2/3] server/auth: add option for strict authentication
+
+When this option is enabled, we will check for a matching
+username and password, if not found then the connection will
+be rejected. This also does a checksum validation of volfile
+
+The option is invalid when SSL/TLS is in use, at which point
+the SSL/TLS certificate user name is used to validate and
+hence authorize the right user. This expects TLS allow rules
+to be setup correctly rather than the default *.
+
+This option is not settable, as a result this cannot be enabled
+for volumes using the CLI. This is used with the shared storage
+volume, to restrict access to the same in non-SSL/TLS environments
+to the gluster peers only.
+
+Tested:
+ ./tests/bugs/protocol/bug-1321578.t
+ ./tests/features/ssl-authz.t
+ - Ran tests on volumes with and without strict auth
+ checking (as brick vol file needed to be edited to test,
+ or rather to enable the option)
+ - Ran tests on volumes to ensure existing mounts are
+ disconnected when we enable strict checking
+
+Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
+fixes: bz#1568844
+Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
+Signed-off-by: ShyamsundarR <srangana@redhat.com>
+
+Upstream-Status: Backport
+Fix CVE-2018-1088
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+
+---
+ xlators/mgmt/glusterd/src/glusterd-volgen.c | 16 +++++++-
+ xlators/protocol/auth/login/src/login.c | 51 ++++++++++++++++++++++----
+ xlators/protocol/server/src/authenticate.h | 4 +-
+ xlators/protocol/server/src/server-handshake.c | 2 +-
+ xlators/protocol/server/src/server.c | 18 +++++++++
+ xlators/protocol/server/src/server.h | 2 +
+ 6 files changed, 81 insertions(+), 12 deletions(-)
+
+diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
+index 308c41f..8dd4907 100644
+--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
++++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
+@@ -2250,6 +2250,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
+ char *password = NULL;
+ char key[1024] = {0};
+ char *ssl_user = NULL;
++ char *volname = NULL;
+ char *address_family_data = NULL;
+
+ if (!graph || !volinfo || !set_dict || !brickinfo)
+@@ -2325,6 +2326,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
+ if (ret)
+ return -1;
+
++ volname = volinfo->is_snap_volume ?
++ volinfo->parent_volname : volinfo->volname;
++
++
++ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
++ memset (key, 0, sizeof (key));
++ snprintf (key, sizeof (key), "strict-auth-accept");
++
++ ret = xlator_set_option (xl, key, "true");
++ if (ret)
++ return -1;
++ }
++
+ if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
+ memset (key, 0, sizeof (key));
+ snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
+@@ -5734,7 +5748,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
+
+
+ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
+- client_type != GF_CLIENT_TRUSTED) {
++ client_type != GF_CLIENT_TRUSTED) {
+ /*
+ * shared storage volume cannot be mounted from non trusted
+ * nodes. So we are not creating volfiles for non-trusted
+diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
+index e799dd2..da10d0b 100644
+--- a/xlators/protocol/auth/login/src/login.c
++++ b/xlators/protocol/auth/login/src/login.c
+@@ -11,6 +11,16 @@
+ #include <fnmatch.h>
+ #include "authenticate.h"
+
++/* Note on strict_auth
++ * - Strict auth kicks in when authentication is using the username, password
++ * in the volfile to login
++ * - If enabled, auth is rejected if the username and password is not matched
++ * or is not present
++ * - When using SSL names, this is automatically strict, and allows only those
++ * names that are present in the allow list, IOW strict auth checking has no
++ * implication when using SSL names
++*/
++
+ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+ {
+ auth_result_t result = AUTH_DONT_CARE;
+@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+ char *tmp = NULL;
+ char *username_cpy = NULL;
+ gf_boolean_t using_ssl = _gf_false;
++ gf_boolean_t strict_auth = _gf_false;
+
+ username_data = dict_get (input_params, "ssl-name");
+ if (username_data) {
+@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+ using_ssl = _gf_true;
+ }
+ else {
++ ret = dict_get_str_boolean (config_params, "strict-auth-accept",
++ _gf_false);
++ if (ret == -1)
++ strict_auth = _gf_false;
++ else
++ strict_auth = ret;
++
+ username_data = dict_get (input_params, "username");
+ if (!username_data) {
+- gf_log ("auth/login", GF_LOG_DEBUG,
+- "username not found, returning DONT-CARE");
++ if (strict_auth) {
++ gf_log ("auth/login", GF_LOG_DEBUG,
++ "username not found, strict auth"
++ " configured returning REJECT");
++ result = AUTH_REJECT;
++ } else {
++ gf_log ("auth/login", GF_LOG_DEBUG,
++ "username not found, returning"
++ " DONT-CARE");
++ }
+ goto out;
+ }
+ password_data = dict_get (input_params, "password");
+ if (!password_data) {
+- gf_log ("auth/login", GF_LOG_WARNING,
+- "password not found, returning DONT-CARE");
++ if (strict_auth) {
++ gf_log ("auth/login", GF_LOG_DEBUG,
++ "password not found, strict auth"
++ " configured returning REJECT");
++ result = AUTH_REJECT;
++ } else {
++ gf_log ("auth/login", GF_LOG_WARNING,
++ "password not found, returning"
++ " DONT-CARE");
++ }
+ goto out;
+ }
+ password = data_to_str (password_data);
+@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+ ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,
+ using_ssl ? "ssl-allow" : "allow");
+ if (-1 == ret) {
+- gf_log ("auth/login", GF_LOG_WARNING,
++ gf_log ("auth/login", GF_LOG_ERROR,
+ "asprintf failed while setting search string, "
+- "returning DONT-CARE");
++ "returning REJECT");
++ result = AUTH_REJECT;
+ goto out;
+ }
+
+@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
+ * ssl-allow=* case as well) authorization is effectively
+ * disabled, though authentication and encryption are still
+ * active.
++ *
++ * Read NOTE on strict_auth above.
+ */
+- if (using_ssl) {
++ if (using_ssl || strict_auth) {
+ result = AUTH_REJECT;
+ }
+ username_cpy = gf_strdup (allow_user->data);
+diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
+index 3f80231..5f92183 100644
+--- a/xlators/protocol/server/src/authenticate.h
++++ b/xlators/protocol/server/src/authenticate.h
+@@ -37,10 +37,8 @@ typedef struct {
+ volume_opt_list_t *vol_opt;
+ } auth_handle_t;
+
+-auth_result_t gf_authenticate (dict_t *input_params,
+- dict_t *config_params,
+- dict_t *auth_modules);
+ int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);
+ void gf_auth_fini (dict_t *auth_modules);
++auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *);
+
+ #endif /* _AUTHENTICATE_H */
+diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
+index f00804a..392a101 100644
+--- a/xlators/protocol/server/src/server-handshake.c
++++ b/xlators/protocol/server/src/server-handshake.c
+@@ -631,7 +631,7 @@ server_setvolume (rpcsvc_request_t *req)
+ ret = dict_get_str (params, "volfile-key",
+ &volfile_key);
+ if (ret)
+- gf_msg_debug (this->name, 0, "failed to set "
++ gf_msg_debug (this->name, 0, "failed to get "
+ "'volfile-key'");
+
+ ret = _validate_volfile_checksum (this, volfile_key,
+diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
+index 202fe71..61c6194 100644
+--- a/xlators/protocol/server/src/server.c
++++ b/xlators/protocol/server/src/server.c
+@@ -883,6 +883,10 @@ do_rpc:
+ goto out;
+ }
+
++ GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
++ options, bool, out);
++
++
+ GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
+ bool, out);
+
+@@ -1113,6 +1117,14 @@ init (xlator_t *this)
+ "Failed to initialize group cache.");
+ goto out;
+ }
++
++ ret = dict_get_str_boolean (this->options, "strict-auth-accept",
++ _gf_false);
++ if (ret == -1)
++ conf->strict_auth_enabled = _gf_false;
++ else
++ conf->strict_auth_enabled = ret;
++
+ ret = dict_get_str_boolean (this->options, "dynamic-auth",
+ _gf_true);
+ if (ret == -1)
+@@ -1667,5 +1679,11 @@ struct volume_options options[] = {
+ "transport connection immediately in response to "
+ "*.allow | *.reject volume set options."
+ },
++ { .key = {"strict-auth-accept"},
++ .type = GF_OPTION_TYPE_BOOL,
++ .default_value = "off",
++ .description = "strict-auth-accept reject connection with out"
++ "a valid username and password."
++ },
+ { .key = {NULL} },
+ };
+diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
+index 0b37eb1..7eea291 100644
+--- a/xlators/protocol/server/src/server.h
++++ b/xlators/protocol/server/src/server.h
+@@ -24,6 +24,7 @@
+ #include "client_t.h"
+ #include "gidcache.h"
+ #include "defaults.h"
++#include "authenticate.h"
+
+ #define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */
+ #define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol"
+@@ -105,6 +106,7 @@ struct server_conf {
+ * false, when child is down */
+
+ gf_lock_t itable_lock;
++ gf_boolean_t strict_auth_enabled;
+ };
+ typedef struct server_conf server_conf_t;
+
+--
+2.7.4
+
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
index 02c8a6a..8bf5653 100644
--- a/recipes-extended/glusterfs/glusterfs.inc
+++ b/recipes-extended/glusterfs/glusterfs.inc
@@ -20,6 +20,8 @@ SRC_URI += "file://glusterd.init \
file://libglusterfs-Don-t-link-against-libfl.patch \
file://glusterd-change-port-range.patch \
file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \
+ file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \
+ file://0002-server-auth-add-option-for-strict-authentication.patch \
"
LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [m-c-s][PATCH 2/2] glusterfs: fix CVE-2018-10841
2018-09-13 8:58 [m-c-s][PATCH 1/2] glusterfs: fix CVE-2018-1088 Chen Qi
@ 2018-09-13 8:58 ` Chen Qi
2018-09-13 9:59 ` ChenQi
0 siblings, 1 reply; 3+ messages in thread
From: Chen Qi @ 2018-09-13 8:58 UTC (permalink / raw)
To: meta-virtualization
Backport patch to fix the following CVE.
CVE: CVE-2018-10841
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
...ccess-trusted-peer-group-via-remote-host-.patch | 43 ++++++++++++++++++++++
recipes-extended/glusterfs/glusterfs.inc | 1 +
2 files changed, 44 insertions(+)
create mode 100644 recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
diff --git a/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch b/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
new file mode 100644
index 0000000..dcbb435
--- /dev/null
+++ b/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
@@ -0,0 +1,43 @@
+From e79741414777c25e5c2a08e6c31619a0fbaad058 Mon Sep 17 00:00:00 2001
+From: Mohit Agrawal <moagrawa@redhat.com>
+Date: Wed, 20 Jun 2018 16:13:00 +0530
+Subject: [PATCH 3/3] glusterfs: access trusted peer group via remote-host
+ command
+
+Problem: In SSL environment the user is able to access volume
+ via remote-host command without adding node in a trusted pool
+
+Solution: Change the list of rpc program in glusterd.c at the
+ time of initialization while SSL is enabled
+
+BUG: 1593232
+Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199
+fixes: bz#1593232
+Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
+
+Upstream-Status: Backport
+Fix CVE-2018-10841
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ xlators/mgmt/glusterd/src/glusterd.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/xlators/mgmt/glusterd/src/glusterd.c b/xlators/mgmt/glusterd/src/glusterd.c
+index ef20689..5e0ed8d 100644
+--- a/xlators/mgmt/glusterd/src/glusterd.c
++++ b/xlators/mgmt/glusterd/src/glusterd.c
+@@ -1646,11 +1646,6 @@ init (xlator_t *this)
+ goto out;
+ }
+ /*
+- * With strong authentication, we can afford to allow
+- * privileged operations over TCP.
+- */
+- gd_inet_programs[1] = &gd_svc_cli_prog;
+- /*
+ * This is the only place where we want secure_srvr to reflect
+ * the management-plane setting.
+ */
+--
+2.7.4
+
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
index 8bf5653..fa25bd8 100644
--- a/recipes-extended/glusterfs/glusterfs.inc
+++ b/recipes-extended/glusterfs/glusterfs.inc
@@ -22,6 +22,7 @@ SRC_URI += "file://glusterd.init \
file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \
file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \
file://0002-server-auth-add-option-for-strict-authentication.patch \
+ file://0003-glusterfs-access-trusted-peer-group-via-remote-host-.patc \
"
LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [m-c-s][PATCH 2/2] glusterfs: fix CVE-2018-10841
2018-09-13 8:58 ` [m-c-s][PATCH 2/2] glusterfs: fix CVE-2018-10841 Chen Qi
@ 2018-09-13 9:59 ` ChenQi
0 siblings, 0 replies; 3+ messages in thread
From: ChenQi @ 2018-09-13 9:59 UTC (permalink / raw)
To: meta-virtualization
Please ignore this patch.
It has a typo 'patc', which should be 'patch', and thus will cause
do_fetch failure.
I forgot to test it.
I'll send out V2.
Best Regards,
Chen Qi
On 09/13/2018 04:58 PM, Chen Qi wrote:
> Backport patch to fix the following CVE.
>
> CVE: CVE-2018-10841
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> ...ccess-trusted-peer-group-via-remote-host-.patch | 43 ++++++++++++++++++++++
> recipes-extended/glusterfs/glusterfs.inc | 1 +
> 2 files changed, 44 insertions(+)
> create mode 100644 recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
>
> diff --git a/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch b/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
> new file mode 100644
> index 0000000..dcbb435
> --- /dev/null
> +++ b/recipes-extended/glusterfs/files/0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch
> @@ -0,0 +1,43 @@
> +From e79741414777c25e5c2a08e6c31619a0fbaad058 Mon Sep 17 00:00:00 2001
> +From: Mohit Agrawal <moagrawa@redhat.com>
> +Date: Wed, 20 Jun 2018 16:13:00 +0530
> +Subject: [PATCH 3/3] glusterfs: access trusted peer group via remote-host
> + command
> +
> +Problem: In SSL environment the user is able to access volume
> + via remote-host command without adding node in a trusted pool
> +
> +Solution: Change the list of rpc program in glusterd.c at the
> + time of initialization while SSL is enabled
> +
> +BUG: 1593232
> +Change-Id: I987e433b639e68ad17b77b6452df1e22dbe0f199
> +fixes: bz#1593232
> +Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
> +
> +Upstream-Status: Backport
> +Fix CVE-2018-10841
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + xlators/mgmt/glusterd/src/glusterd.c | 5 -----
> + 1 file changed, 5 deletions(-)
> +
> +diff --git a/xlators/mgmt/glusterd/src/glusterd.c b/xlators/mgmt/glusterd/src/glusterd.c
> +index ef20689..5e0ed8d 100644
> +--- a/xlators/mgmt/glusterd/src/glusterd.c
> ++++ b/xlators/mgmt/glusterd/src/glusterd.c
> +@@ -1646,11 +1646,6 @@ init (xlator_t *this)
> + goto out;
> + }
> + /*
> +- * With strong authentication, we can afford to allow
> +- * privileged operations over TCP.
> +- */
> +- gd_inet_programs[1] = &gd_svc_cli_prog;
> +- /*
> + * This is the only place where we want secure_srvr to reflect
> + * the management-plane setting.
> + */
> +--
> +2.7.4
> +
> diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
> index 8bf5653..fa25bd8 100644
> --- a/recipes-extended/glusterfs/glusterfs.inc
> +++ b/recipes-extended/glusterfs/glusterfs.inc
> @@ -22,6 +22,7 @@ SRC_URI += "file://glusterd.init \
> file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \
> file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \
> file://0002-server-auth-add-option-for-strict-authentication.patch \
> + file://0003-glusterfs-access-trusted-peer-group-via-remote-host-.patc \
> "
>
> LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-09-13 9:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-13 8:58 [m-c-s][PATCH 1/2] glusterfs: fix CVE-2018-1088 Chen Qi
2018-09-13 8:58 ` [m-c-s][PATCH 2/2] glusterfs: fix CVE-2018-10841 Chen Qi
2018-09-13 9:59 ` ChenQi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.