Skip to content

Release notes for Gluster 4.1.4

This is a bugfix release. The release notes for 4.1.0, 4.1.1, 4.1.2 and 4.1.3 contains a listing of all the new features that were added and bugs fixed in the GlusterFS 4.1 stable release.

Major changes, features and limitations addressed in this release

  1. This release contains fix for following security vulnerabilities,

    • https://nvd.nist.gov/vuln/detail/CVE-2018-10904
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10907
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10911
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10913
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10914
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10923
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10926
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10927
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10928
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10929
    • https://nvd.nist.gov/vuln/detail/CVE-2018-10930
  2. To resolve the security vulnerabilities following limitations were made in GlusterFS

    • open,read,write on special files like char and block are no longer permitted
    • io-stat xlator can dump stat info only to /var/run/gluster directory

Installing the updated packages and restarting gluster services on gluster brick hosts, will fix the security issues.

Major issues

  1. Bug #1601356 titled "Problem with SSL/TLS encryption", is not yet fixed with this release. Patch to fix the same is in progress and can be tracked here.

Bugs addressed

Bugs addressed since release-4.1.3 are listed below.

  • #1625089: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
  • #1625095: Files can be renamed outside volume
  • #1625096: I/O to arbitrary devices on storage server
  • #1625097: Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
  • #1625102: Information Exposure in posix_get_file_contents function in posix-helpers.c
  • #1625106: Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code