Quincy is the 17th stable release of Ceph. It is named after Squidward
Quincy Tentacles from Spongebob Squarepants.
+v17.2.2 Quincy
+==============
+
+This is a hotfix release that resolves two security flaws.
+
+Notable Changes
+---------------
+* Users who were running OpenStack Manila to export native CephFS, who
+ upgraded their Ceph cluster from Nautilus (or earlier) to a later
+ major version, were vulnerable to an attack by malicious users. The
+ vulnerability allowed users to obtain access to arbitrary portions of
+ the CephFS filesystem hierarchy, instead of being properly restricted
+ to their own subvolumes. The vulnerability is due to a bug in the
+ "volumes" plugin in Ceph Manager. This plugin is responsible for
+ managing Ceph File System subvolumes which are used by OpenStack
+ Manila services as a way to provide shares to Manila users.
+
+ With this hotfix, the vulnerability is fixed. Administrators who are
+ concerned they may have been impacted should audit the CephX keys in
+ their cluster for proper path restrictions.
+
+ Again, this vulnerability only impacts OpenStack Manila clusters which
+ provided native CephFS access to their users.
+
+* A regression made it possible to dereference a null pointer for
+ for s3website requests that don't refer to a bucket resulting in an RGW
+ segfault.
+
+Changelog
+---------
+* mgr/volumes: Fix subvolume discover during upgrade (:ref:`CVE-2022-0670`, Kotresh HR)
+* mgr/volumes: V2 Fix for test_subvolume_retain_snapshot_invalid_recreate (:ref:`CVE-2022-0670`, Kotresh HR)
+* qa: validate subvolume discover on upgrade (Kotresh HR)
+* rgw: s3website check for bucket before retargeting (Seena Fallah)
+
v17.2.1 Quincy
==============
projects / ceph.git / commitdiff