# Release notes for Gluster 3.12.14

This is a bugfix release. The release notes for [3.12.0](3.12.0.md), [3.12.1](3.12.1.md), [3.12.2](3.12.2.md),
[3.12.3](3.12.3.md), [3.12.4](3.12.4.md), [3.12.5](3.12.5.md), [3.12.6](3.12.6.md), [3.12.7](3.12.7.md),
[3.12.8](3.12.8.md), [3.12.9](3.12.9.md), [3.12.10](3.12.10.md), [3.12.11](3.12.11.md) and [3.12.12](3.12.12.md)
contain a listing of all the new features that were added and bugs fixed in the GlusterFS 3.12 stable release.

## Major changes, features and limitations addressed in this release
This release contains a fix for a security vulerability in Gluster as follows,
- https://nvd.nist.gov/vuln/detail/CVE-2018-10907
- https://nvd.nist.gov/vuln/detail/CVE-2018-10904
- https://nvd.nist.gov/vuln/detail/CVE-2018-10911
- https://nvd.nist.gov/vuln/detail/CVE-2018-10913
- https://nvd.nist.gov/vuln/detail/CVE-2018-10923
- https://nvd.nist.gov/vuln/detail/CVE-2018-10930

Plus to resolve one of the security vulerability following limitations were made
- open,read,write on special files like char and block are no longer permitted
- io-stat xlator can dump stat into /var/run/gluster directory only
- Resolved with SSL/TLS encryption with kvm

Installing the updated packages and restarting gluster services on gluster
brick hosts, will help prevent the security issue.## Major issues


## Major issues

**None**

## Bugs addressed

Bugs addressed since release-3.12.14 are listed below.

- [#1622405](https://bugzilla.redhat.com/1622405): Problem with SSL/TLS encryption on Gluster 4.0 & 4.1
- [#1625286](https://bugzilla.redhat.com/1625286):  Information Exposure in posix_get_file_contents function in posix-helpers.c
- [#1625648](https://bugzilla.redhat.com/1625648): I/O to arbitrary devices on storage server
- [#1625654](https://bugzilla.redhat.com/1625654): Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
- [#1625656](https://bugzilla.redhat.com/1625656): Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
- [#1625660](https://bugzilla.redhat.com/1625660): Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code
- [#1625664](https://bugzilla.redhat.com/1625664): Files can be renamed outside volume