diff options
| author | Jiffin Tony Thottan <jthottan@redhat.com> | 2018-09-06 21:16:06 +0530 |
|---|---|---|
| committer | Jiffin Tony Thottan <jthottan@redhat.com> | 2018-09-06 21:41:39 +0530 |
| commit | deafd5a4f8440fa2a6f54595722e6fd1d4b6ed55 (patch) | |
| tree | be46b38c92ba640352880c0f1cff97f9100cb174 | |
| parent | 39db09af1de261ef3b80ce354e8b1b89a599fd40 (diff) | |
doc: Release notes for v4.1.4v4.1.4
Change-Id: Idfce8b9ec79303b92045e68ab98765f7e2f98940
fixes: bz#1623161
Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
| -rw-r--r-- | doc/release-notes/4.1.4.md | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/doc/release-notes/4.1.4.md b/doc/release-notes/4.1.4.md new file mode 100644 index 00000000000..3c688f0e995 --- /dev/null +++ b/doc/release-notes/4.1.4.md @@ -0,0 +1,41 @@ +# Release notes for Gluster 4.1.4 + +This is a bugfix release. The release notes for [4.1.0](4.1.0.md), + [4.1.1](4.1.1.md), [4.1.2](4.1.2.md) and [4.1.3](4.1.3.md) contains a +listing of all the new features that were added and bugs fixed in the +GlusterFS 4.1 stable release. + +## Major changes, features and limitations addressed in this release + +This release contains a fix for a security vulerability in Gluster as follows, +- https://nvd.nist.gov/vuln/detail/CVE-2018-10907 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10904 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10911 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10913 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10923 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10930 + +Plus to resolve one of the security vulerability following limitations were made +- open,read,write on special files like char and block are no longer permitted +- io-stat xlator can dump stat into /var/run/gluster directory only + +Installing the updated packages and restarting gluster services on gluster +brick hosts, will help prevent the security issue.## Major issues + +## Major issues + +1. Bug [#1601356](https://bugzilla.redhat.com/show_bug.cgi?id=1601356) titled "Problem with SSL/TLS encryption", +is **not** yet fixed with this release. Patch to fix the same is in progress and +can be tracked [here](https://review.gluster.org/c/glusterfs/+/20993). + +## Bugs addressed + +Bugs addressed since release-4.1.3 are listed below. + +- [#1625089](https://bugzilla.redhat.com/1625089): Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory +- [#1625095](https://bugzilla.redhat.com/1625095): Files can be renamed outside volume +- [#1625096](https://bugzilla.redhat.com/1625096): I/O to arbitrary devices on storage server +- [#1625097](https://bugzilla.redhat.com/1625097): Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code +- [#1625102](https://bugzilla.redhat.com/1625102): Information Exposure in posix_get_file_contents function in posix-helpers.c +- [#1625106](https://bugzilla.redhat.com/1625106): Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code + |