# Release notes for Gluster 3.12.14

This is a bugfix release. The release notes for [3.12.0](3.12.0.md), [3.12.1](3.12.1.md), [3.12.2](3.12.2.md),
[3.12.3](3.12.3.md), [3.12.4](3.12.4.md), [3.12.5](3.12.5.md), [3.12.6](3.12.6.md), [3.12.7](3.12.7.md),
[3.12.8](3.12.8.md), [3.12.9](3.12.9.md), [3.12.10](3.12.10.md), [3.12.11](3.12.11.md), [3.12.12](3.12.12.md)
and [3.12.13](3.12.13.md) contain a listing of all the new features that were added and bugs fixed in
the GlusterFS 3.12 stable release.

## Major changes, features and limitations addressed in this release
1. This release contains fix for following security vulnerabilities,
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10904
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10907
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10911
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10913
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10914
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10923
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10926
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10927
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10928
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10929
   - https://nvd.nist.gov/vuln/detail/CVE-2018-10930

2. To resolve the security vulnerabilities following limitations were made in GlusterFS
    - open,read,write on special files like char and block are no longer permitted
    - io-stat xlator can dump stat info only to /var/run/gluster directory

3. Addressed an issue that affected copying a file over SSL/TLS in a volume 

Installing the updated packages and restarting gluster services on gluster
brick hosts, will fix the security issues.

## Major issues

**None**

## Bugs addressed

Bugs addressed since release-3.12.14 are listed below.

- [#1622405](https://bugzilla.redhat.com/1622405): Problem with SSL/TLS encryption on Gluster 4.0 & 4.1
- [#1625286](https://bugzilla.redhat.com/1625286):  Information Exposure in posix_get_file_contents function in posix-helpers.c
- [#1625648](https://bugzilla.redhat.com/1625648): I/O to arbitrary devices on storage server
- [#1625654](https://bugzilla.redhat.com/1625654): Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
- [#1625656](https://bugzilla.redhat.com/1625656): Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
- [#1625660](https://bugzilla.redhat.com/1625660): Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code
- [#1625664](https://bugzilla.redhat.com/1625664): Files can be renamed outside volume