On Wed, Dec 05, 2018 at 10:25:17PM +0000, Ben Hutchings wrote: > On Mon, 2018-12-03 at 11:16 -0500, Sasha Levin wrote: > > On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote: > > > On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin <sashal@xxxxxxxxxx> wrote: > > > > > > > > + Ben > > > > > > > > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote: > [...] > > > > > The CVEs mentioned in this series are server side and CEPHX_V2 is > > > > > probably more of a new feature than a security fix. That said, I don't > > > > > object to including it in 4.14.z. If you do, please pick up the > > > > > remaining two patches for interoperability: > > > > > > > > > > f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() > > > > > 130f52f2b203 libceph: check authorizer reply/challenge length before reading > > > > > > > > Would I be pulling this patch if it didn't have the string > > > > "CVE-2018-1129" in the commit message? > > > > > > Well, I didn't mark this series for stable, so probably not. > > > > Alrighty, thanks. > > > > Ben, any objections to dropping this patch? > > My understanding is that while the security impact is on the server > side, an unpatched client won't be able to authenticate to a patched > server. Assuming that is correct, this change seems to fit the stable > rules. I kept them in the tree, and added the additional ones, thanks! greg k-h
