On Wed, 2020-04-08 at 10:48 +0100, Chris Lamb wrote: > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Jessie version of ceph: > https://security-tracker.debian.org/tracker/source-package/ceph > > Would you like to take care of this yourself? [...]
Note that the fix for CVE-2018-1128 requires an incompatible change to the authentication protocol, which means both clients and servers would need to be updated (if authentication is actually used). I backported the required changes in the Linux kernel's ceph client as far as 4.9, but introduced a bug in the process (since fixed). At that point I decided not to backport them any further, but can have a go if someone sets up an updated server to test against. Ben. -- Ben Hutchings Time is nature's way of making sure that everything doesn't happen at once.
signature.asc
Description: This is a digitally signed message part
