Bug 1633259

Summary: gd2: respin/rerelease 4.1 vendor tarball to update golang.org/x/net/html/...
Product: [Community] GlusterFS Reporter: Kaleb KEITHLEY <kkeithle>
Component: glusterd2Assignee: Kaushal <kaushal>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1CC: bugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-30 14:44:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1638055    

Description Kaleb KEITHLEY 2018-09-26 14:21:14 UTC 
Description of problem:

https://bugzilla.redhat.com/show_bug.cgi?id=1633022

and https://github.com/heketi/heketi/issues/1372

Debian, Ubuntu, SUSE, and CentOS Storage SIG packages are all built from the vendor tarball.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Kaushal 2018-10-11 13:02:25 UTC 
TL;DR CVE does not affect GD2.

GD2 does not use the html.Parse() nor the golang.org/x/net/html package. And none of the other GD2 dependencies use html.Parse() or have a dependency on golang.org/x/net/html.

The golang.org/x/net/html package is a part of a larger repository, that also contains the golang.org/x/net/context, which is a dependency of GD2 brought in by GRPC.

The shipped GD2 binaries in the distro packages are not affected by the html.Parse() CVE. In any case, even if the net/html package were used by GD2, by default the Go build system strips out unused functions and methods from the built binary, html.Parse() would be stripped out because it is unused.

The source tarball that contains the vendored source for golang.org/x/net/html, has the source file that has the CVE, but it is in no way exploitable as the source tarball doesn't have any executables that use html.Parse().
Comment 2 Kaushal 2018-10-11 13:30:21 UTC 
In any case, I've done a new GD2 release v4.1.1 [1], just to avoid the back and forth.

I'll repeat it again, the built GD2 v4.1.0 binaries and packages are not affected by this CVE.

[1]: https://github.com/gluster/glusterd2/releases/tag/v4.1.1