On Tue, Apr 20, 2021 at 11:30 AM Dan van der Ster <dan@xxxxxxxxxxxxxx> wrote: > > On Tue, Apr 20, 2021 at 11:26 AM Ilya Dryomov <idryomov@xxxxxxxxx> wrote: > > > > On Tue, Apr 20, 2021 at 2:01 AM David Galloway <dgallowa@xxxxxxxxxx> wrote: > > > > > > This is the 20th bugfix release in the Nautilus stable series. It > > > addresses a security vulnerability in the Ceph authentication framework. > > > We recommend users to update to this release. For a detailed release > > > notes with links & changelog please refer to the official blog entry at > > > https://ceph.io/releases/v14-2-20-nautilus-released > > > > > > Security Fixes > > > -------------- > > > > > > * This release includes a security fix that ensures the global_id value > > > (a numeric value that should be unique for every authenticated client or > > > daemon in the cluster) is reclaimed after a network disconnect or ticket > > > renewal in a secure fashion. Two new health alerts may appear during > > > the upgrade indicating that there are clients or daemons that are not > > > yet patched with the appropriate fix. > > > > The link in the blog entry should point at > > > > https://docs.ceph.com/en/latest/security/CVE-2021-20288/ > > > > Please refer there for details and recommendations. > > Thanks Ilya. > > Is there any potential issue if clients upgrade before the cluster daemons? > (Our clients will likely get 14.2.20 before all the clusters have been > upgraded). No issue. Userspace clients would just start doing what is expected by the protocol, same as kernel clients. Ilya _______________________________________________ Dev mailing list -- dev@xxxxxxx To unsubscribe send an email to dev-leave@xxxxxxx
