Release notes for Gluster 4.1.4
Major changes, features and limitations addressed in this release
This release contains fix for following security vulnerabilities,
To resolve the security vulnerabilities following limitations were made in GlusterFS
- open,read,write on special files like char and block are no longer permitted
- io-stat xlator can dump stat info only to /var/run/gluster directory
Installing the updated packages and restarting gluster services on gluster brick hosts, will fix the security issues.
- Bug #1601356 titled "Problem with SSL/TLS encryption", is not yet fixed with this release. Patch to fix the same is in progress and can be tracked here.
Bugs addressed since release-4.1.3 are listed below.
- #1625089: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
- #1625095: Files can be renamed outside volume
- #1625096: I/O to arbitrary devices on storage server
- #1625097: Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
- #1625102: Information Exposure in posix_get_file_contents function in posix-helpers.c
- #1625106: Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code