diff options
authorJiffin Tony Thottan <>2018-09-06 21:16:06 +0530
committerJiffin Tony Thottan <>2018-09-06 21:41:39 +0530
commitdeafd5a4f8440fa2a6f54595722e6fd1d4b6ed55 (patch)
parent39db09af1de261ef3b80ce354e8b1b89a599fd40 (diff)
doc: Release notes for v4.1.4v4.1.4
Change-Id: Idfce8b9ec79303b92045e68ab98765f7e2f98940 fixes: bz#1623161 Signed-off-by: Jiffin Tony Thottan <>
1 files changed, 41 insertions, 0 deletions
diff --git a/doc/release-notes/ b/doc/release-notes/
new file mode 100644
index 00000000000..3c688f0e995
--- /dev/null
+++ b/doc/release-notes/
@@ -0,0 +1,41 @@
+# Release notes for Gluster 4.1.4
+This is a bugfix release. The release notes for [4.1.0](,
+ [4.1.1](, [4.1.2]( and [4.1.3]( contains a
+listing of all the new features that were added and bugs fixed in the
+GlusterFS 4.1 stable release.
+## Major changes, features and limitations addressed in this release
+This release contains a fix for a security vulerability in Gluster as follows,
+Plus to resolve one of the security vulerability following limitations were made
+- open,read,write on special files like char and block are no longer permitted
+- io-stat xlator can dump stat into /var/run/gluster directory only
+Installing the updated packages and restarting gluster services on gluster
+brick hosts, will help prevent the security issue.## Major issues
+## Major issues
+1. Bug [#1601356]( titled "Problem with SSL/TLS encryption",
+is **not** yet fixed with this release. Patch to fix the same is in progress and
+can be tracked [here](
+## Bugs addressed
+Bugs addressed since release-4.1.3 are listed below.
+- [#1625089]( Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
+- [#1625095]( Files can be renamed outside volume
+- [#1625096]( I/O to arbitrary devices on storage server
+- [#1625097]( Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
+- [#1625102]( Information Exposure in posix_get_file_contents function in posix-helpers.c
+- [#1625106]( Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code