Release notes for Gluster 3.12.14

This is a bugfix release. The release notes for 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12 and 3.12.13 contain a listing of all the new features that were added and bugs fixed in the GlusterFS 3.12 stable release.

Major changes, features and limitations addressed in this release

  1. This release contains fix for following security vulnerabilities,
  2. https://nvd.nist.gov/vuln/detail/CVE-2018-10904
  3. https://nvd.nist.gov/vuln/detail/CVE-2018-10907
  4. https://nvd.nist.gov/vuln/detail/CVE-2018-10911
  5. https://nvd.nist.gov/vuln/detail/CVE-2018-10913
  6. https://nvd.nist.gov/vuln/detail/CVE-2018-10914
  7. https://nvd.nist.gov/vuln/detail/CVE-2018-10923
  8. https://nvd.nist.gov/vuln/detail/CVE-2018-10926
  9. https://nvd.nist.gov/vuln/detail/CVE-2018-10927
  10. https://nvd.nist.gov/vuln/detail/CVE-2018-10928
  11. https://nvd.nist.gov/vuln/detail/CVE-2018-10929
  12. https://nvd.nist.gov/vuln/detail/CVE-2018-10930

  13. To resolve the security vulnerabilities following limitations were made in GlusterFS

    • open,read,write on special files like char and block are no longer permitted
    • io-stat xlator can dump stat info only to /var/run/gluster directory
  14. Addressed an issue that affected copying a file over SSL/TLS in a volume

Installing the updated packages and restarting gluster services on gluster brick hosts, will fix the security issues.

Major issues

None

Bugs addressed

Bugs addressed since release-3.12.14 are listed below.

  • #1622405: Problem with SSL/TLS encryption on Gluster 4.0 & 4.1
  • #1625286: Information Exposure in posix_get_file_contents function in posix-helpers.c
  • #1625648: I/O to arbitrary devices on storage server
  • #1625654: Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
  • #1625656: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
  • #1625660: Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code
  • #1625664: Files can be renamed outside volume