Release notes for Gluster 3.12.14
This is a bugfix release. The release notes for 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12 and 3.12.13 contain a listing of all the new features that were added and bugs fixed in the GlusterFS 3.12 stable release.
Major changes, features and limitations addressed in this release
This release contains fix for following security vulnerabilities,
To resolve the security vulnerabilities following limitations were made in GlusterFS
open,read,write on special files like char and block are no longer permitted
io-stat xlator can dump stat info only to /var/run/gluster directory
Addressed an issue that affected copying a file over SSL/TLS in a volume
Installing the updated packages and restarting gluster services on gluster brick hosts, will fix the security issues.
Bugs addressed since release-3.12.14 are listed below.
- #1622405: Problem with SSL/TLS encryption on Gluster 4.0 & 4.1
- #1625286: Information Exposure in posix_get_file_contents function in posix-helpers.c
- #1625648: I/O to arbitrary devices on storage server
- #1625654: Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
- #1625656: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
- #1625660: Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code
- #1625664: Files can be renamed outside volume