Release notes for Gluster 3.12.14
This is a bugfix release. The release notes for 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12 and 3.12.13 contain a listing of all the new features that were added and bugs fixed in the GlusterFS 3.12 stable release.
Major changes, features and limitations addressed in this release
- This release contains fix for following security vulnerabilities,
- https://nvd.nist.gov/vuln/detail/CVE-2018-10904
- https://nvd.nist.gov/vuln/detail/CVE-2018-10907
- https://nvd.nist.gov/vuln/detail/CVE-2018-10911
- https://nvd.nist.gov/vuln/detail/CVE-2018-10913
- https://nvd.nist.gov/vuln/detail/CVE-2018-10914
- https://nvd.nist.gov/vuln/detail/CVE-2018-10923
- https://nvd.nist.gov/vuln/detail/CVE-2018-10926
- https://nvd.nist.gov/vuln/detail/CVE-2018-10927
- https://nvd.nist.gov/vuln/detail/CVE-2018-10928
- https://nvd.nist.gov/vuln/detail/CVE-2018-10929
-
https://nvd.nist.gov/vuln/detail/CVE-2018-10930
-
To resolve the security vulnerabilities following limitations were made in GlusterFS
- open,read,write on special files like char and block are no longer permitted
- io-stat xlator can dump stat info only to /var/run/gluster directory
-
Addressed an issue that affected copying a file over SSL/TLS in a volume
Installing the updated packages and restarting gluster services on gluster brick hosts, will fix the security issues.
Major issues
None
Bugs addressed
Bugs addressed since release-3.12.14 are listed below.
- #1622405: Problem with SSL/TLS encryption on Gluster 4.0 & 4.1
- #1625286: Information Exposure in posix_get_file_contents function in posix-helpers.c
- #1625648: I/O to arbitrary devices on storage server
- #1625654: Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
- #1625656: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
- #1625660: Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code
- #1625664: Files can be renamed outside volume