blob: 986a0bd730d779f6fd7630ed1c02edf7f77f7aa1 (
plain)
| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 | # Release notes for Gluster 4.1.4
This is a bugfix release. The release notes for [4.1.0](4.1.0.md),
 [4.1.1](4.1.1.md), [4.1.2](4.1.2.md) and [4.1.3](4.1.3.md) contains a
listing of all the new features that were added and bugs fixed in the
GlusterFS 4.1 stable release.
## Major changes, features and limitations addressed in this release
This release contains a fix for a security vulerability in Gluster as follows,
- https://nvd.nist.gov/vuln/detail/CVE-2018-10907
- https://nvd.nist.gov/vuln/detail/CVE-2018-10904
- https://nvd.nist.gov/vuln/detail/CVE-2018-10911
- https://nvd.nist.gov/vuln/detail/CVE-2018-10913
- https://nvd.nist.gov/vuln/detail/CVE-2018-10923
- https://nvd.nist.gov/vuln/detail/CVE-2018-10930
Plus to resolve one of the security vulerability following limitations were made
- open,read,write on special files like char and block are no longer permitted
- io-stat xlator can dump stat into /var/run/gluster directory only
Installing the updated packages and restarting gluster services on gluster
brick hosts, will help prevent the security issue.
## Major issues
1. Bug [#1601356](https://bugzilla.redhat.com/show_bug.cgi?id=1601356) titled "Problem with SSL/TLS encryption",
is **not** yet fixed with this release. Patch to fix the same is in progress and
can be tracked [here](https://review.gluster.org/c/glusterfs/+/20993).
## Bugs addressed
Bugs addressed since release-4.1.3 are listed below.
- [#1625089](https://bugzilla.redhat.com/1625089): Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
- [#1625095](https://bugzilla.redhat.com/1625095): Files can be renamed outside volume
- [#1625096](https://bugzilla.redhat.com/1625096): I/O to arbitrary devices on storage server
- [#1625097](https://bugzilla.redhat.com/1625097): Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
- [#1625102](https://bugzilla.redhat.com/1625102):  Information Exposure in posix_get_file_contents function in posix-helpers.c
- [#1625106](https://bugzilla.redhat.com/1625106): Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code
 |