On Mon, 2018-12-03 at 11:16 -0500, Sasha Levin wrote: > On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote: > > On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@xxxxxxxxxx> wrote: > > > > > > + Ben > > > > > > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote: [...] > > > > The CVEs mentioned in this series are server side and CEPHX_V2 is > > > > probably more of a new feature than a security fix. That said, I don't > > > > object to including it in 4.14.z. If you do, please pick up the > > > > remaining two patches for interoperability: > > > > > > > > f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() > > > > 130f52f2b203 libceph: check authorizer reply/challenge length before reading > > > > > > Would I be pulling this patch if it didn't have the string > > > "CVE-2018-1129" in the commit message? > > > > Well, I didn't mark this series for stable, so probably not. > > Alrighty, thanks. > > Ben, any objections to dropping this patch? My understanding is that while the security impact is on the server side, an unpatched client won't be able to authenticate to a patched server. Assuming that is correct, this change seems to fit the stable rules. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom
