On Tue, Apr 20, 2021 at 11:30 AM Dan van der Ster <d...@vanderster.com> wrote:
>
> On Tue, Apr 20, 2021 at 11:26 AM Ilya Dryomov <idryo...@gmail.com> wrote:
> >
> > On Tue, Apr 20, 2021 at 2:01 AM David Galloway <dgall...@redhat.com> wrote:
> > >
> > > This is the 20th bugfix release in the Nautilus stable series. It
> > > addresses a security vulnerability in the Ceph authentication framework.
> > > We recommend users to update to this release. For a detailed release
> > > notes with links & changelog please refer to the official blog entry at
> > > https://ceph.io/releases/v14-2-20-nautilus-released
> > >
> > > Security Fixes
> > > --------------
> > >
> > > * This release includes a security fix that ensures the global_id value
> > > (a numeric value that should be unique for every authenticated client or
> > > daemon in the cluster) is reclaimed after a network disconnect or ticket
> > > renewal in a secure fashion. Two new health alerts may appear during
> > > the upgrade indicating that there are clients or daemons that are not
> > > yet patched with the appropriate fix.
> >
> > The link in the blog entry should point at
> >
> > https://docs.ceph.com/en/latest/security/CVE-2021-20288/
> >
> > Please refer there for details and recommendations.
>
> Thanks Ilya.
>
> Is there any potential issue if clients upgrade before the cluster daemons?
> (Our clients will likely get 14.2.20 before all the clusters have been
> upgraded).
No issue. Userspace clients would just start doing what is expected
by the protocol, same as kernel clients.
Ilya
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
