Release notes for Gluster 4.1.4
Major changes, features and limitations addressed in this release
- This release contains fix for following security vulnerabilities,
To resolve the security vulnerabilities following limitations were made in GlusterFS
- open,read,write on special files like char and block are no longer permitted
- io-stat xlator can dump stat info only to /var/run/gluster directory
Installing the updated packages and restarting gluster services on gluster brick hosts, will fix the security issues.
- Bug #1601356 titled "Problem with SSL/TLS encryption", is not yet fixed with this release. Patch to fix the same is in progress and can be tracked here.
Bugs addressed since release-4.1.3 are listed below.
- #1625089: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
- #1625095: Files can be renamed outside volume
- #1625096: I/O to arbitrary devices on storage server
- #1625097: Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
- #1625102: Information Exposure in posix_get_file_contents function in posix-helpers.c
- #1625106: Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code