From fe5b6bc8522b3539a97765b243ad37ef227c05b6 Mon Sep 17 00:00:00 2001 From: Jiffin Tony Thottan Date: Thu, 6 Sep 2018 21:39:15 +0530 Subject: doc: Release notes for v3.12.4 Change-Id: I836d5fc0981ee9a0348aca9b1bde4d46e1519607 BUG: 1625504 Signed-off-by: Jiffin Tony Thottan --- doc/release-notes/3.12.14.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 doc/release-notes/3.12.14.md (limited to 'doc') diff --git a/doc/release-notes/3.12.14.md b/doc/release-notes/3.12.14.md new file mode 100644 index 00000000000..ee6cae094a9 --- /dev/null +++ b/doc/release-notes/3.12.14.md @@ -0,0 +1,40 @@ +# Release notes for Gluster 3.12.14 + +This is a bugfix release. The release notes for [3.12.0](3.12.0.md), [3.12.1](3.12.1.md), [3.12.2](3.12.2.md), +[3.12.3](3.12.3.md), [3.12.4](3.12.4.md), [3.12.5](3.12.5.md), [3.12.6](3.12.6.md), [3.12.7](3.12.7.md), +[3.12.8](3.12.8.md), [3.12.9](3.12.9.md), [3.12.10](3.12.10.md), [3.12.11](3.12.11.md) and [3.12.12](3.12.12.md) +contain a listing of all the new features that were added and bugs fixed in the GlusterFS 3.12 stable release. + +## Major changes, features and limitations addressed in this release +This release contains a fix for a security vulerability in Gluster as follows, +- https://nvd.nist.gov/vuln/detail/CVE-2018-10907 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10904 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10911 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10913 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10923 +- https://nvd.nist.gov/vuln/detail/CVE-2018-10930 + +Plus to resolve one of the security vulerability following limitations were made +- open,read,write on special files like char and block are no longer permitted +- io-stat xlator can dump stat into /var/run/gluster directory only +- Resolved with SSL/TLS encryption with kvm + +Installing the updated packages and restarting gluster services on gluster +brick hosts, will help prevent the security issue.## Major issues + + +## Major issues + +**None** + +## Bugs addressed + +Bugs addressed since release-3.12.14 are listed below. + +- [#1622405](https://bugzilla.redhat.com/1622405): Problem with SSL/TLS encryption on Gluster 4.0 & 4.1 +- [#1625286](https://bugzilla.redhat.com/1625286): Information Exposure in posix_get_file_contents function in posix-helpers.c +- [#1625648](https://bugzilla.redhat.com/1625648): I/O to arbitrary devices on storage server +- [#1625654](https://bugzilla.redhat.com/1625654): Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code +- [#1625656](https://bugzilla.redhat.com/1625656): Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory +- [#1625660](https://bugzilla.redhat.com/1625660): Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code +- [#1625664](https://bugzilla.redhat.com/1625664): Files can be renamed outside volume -- cgit