CVE-2022-48340 (https://github.com/gluster/glusterfs/issues/3732): In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.
CVE-2023-26253 (https://github.com/gluster/glusterfs/issues/3954): In Gluster GlusterFS 11.0, there is an xlators/mount/fuse/src/fuse-bridge.c notify stack-based buffer over-read.
We don't currently have 11.0 in the tree. Due to vagueness of the actual reports it's unclear if the same applies to <11.0 releases. Would have to track the fix commits and then see when they were introduced.
This doesn't apply to glusterfs < 11 as far as I can determine.
(In reply to Jaco Kroon from comment #3) > This doesn't apply to glusterfs < 11 as far as I can determine. But the upstream bugs aren't closed? Why?