summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/release-notes/3.12.14.md40
1 files changed, 40 insertions, 0 deletions
diff --git a/doc/release-notes/3.12.14.md b/doc/release-notes/3.12.14.md
new file mode 100644
index 00000000000..ee6cae094a9
--- /dev/null
+++ b/doc/release-notes/3.12.14.md
@@ -0,0 +1,40 @@
+# Release notes for Gluster 3.12.14
+
+This is a bugfix release. The release notes for [3.12.0](3.12.0.md), [3.12.1](3.12.1.md), [3.12.2](3.12.2.md),
+[3.12.3](3.12.3.md), [3.12.4](3.12.4.md), [3.12.5](3.12.5.md), [3.12.6](3.12.6.md), [3.12.7](3.12.7.md),
+[3.12.8](3.12.8.md), [3.12.9](3.12.9.md), [3.12.10](3.12.10.md), [3.12.11](3.12.11.md) and [3.12.12](3.12.12.md)
+contain a listing of all the new features that were added and bugs fixed in the GlusterFS 3.12 stable release.
+
+## Major changes, features and limitations addressed in this release
+This release contains a fix for a security vulerability in Gluster as follows,
+- https://nvd.nist.gov/vuln/detail/CVE-2018-10907
+- https://nvd.nist.gov/vuln/detail/CVE-2018-10904
+- https://nvd.nist.gov/vuln/detail/CVE-2018-10911
+- https://nvd.nist.gov/vuln/detail/CVE-2018-10913
+- https://nvd.nist.gov/vuln/detail/CVE-2018-10923
+- https://nvd.nist.gov/vuln/detail/CVE-2018-10930
+
+Plus to resolve one of the security vulerability following limitations were made
+- open,read,write on special files like char and block are no longer permitted
+- io-stat xlator can dump stat into /var/run/gluster directory only
+- Resolved with SSL/TLS encryption with kvm
+
+Installing the updated packages and restarting gluster services on gluster
+brick hosts, will help prevent the security issue.## Major issues
+
+
+## Major issues
+
+**None**
+
+## Bugs addressed
+
+Bugs addressed since release-3.12.14 are listed below.
+
+- [#1622405](https://bugzilla.redhat.com/1622405): Problem with SSL/TLS encryption on Gluster 4.0 & 4.1
+- [#1625286](https://bugzilla.redhat.com/1625286): Information Exposure in posix_get_file_contents function in posix-helpers.c
+- [#1625648](https://bugzilla.redhat.com/1625648): I/O to arbitrary devices on storage server
+- [#1625654](https://bugzilla.redhat.com/1625654): Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
+- [#1625656](https://bugzilla.redhat.com/1625656): Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
+- [#1625660](https://bugzilla.redhat.com/1625660): Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code
+- [#1625664](https://bugzilla.redhat.com/1625664): Files can be renamed outside volume