Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2018-12-03 at 11:16 -0500, Sasha Levin wrote:
> On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote:
> > On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@xxxxxxxxxx> wrote:
> > > 
> > > + Ben
> > > 
> > > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote:
[...]
> > > > The CVEs mentioned in this series are server side and CEPHX_V2 is
> > > > probably more of a new feature than a security fix.  That said, I don't
> > > > object to including it in 4.14.z.  If you do, please pick up the
> > > > remaining two patches for interoperability:
> > > > 
> > > > f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
> > > > 130f52f2b203 libceph: check authorizer reply/challenge length before reading
> > > 
> > > Would I be pulling this patch if it didn't have the string
> > > "CVE-2018-1129" in the commit message?
> > 
> > Well, I didn't mark this series for stable, so probably not.
> 
> Alrighty, thanks.
> 
> Ben, any objections to dropping this patch?

My understanding is that while the security impact is on the server
side, an unpatched client won't be able to authenticate to a patched
server.  Assuming that is correct, this change seems to fit the stable
rules.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux