From: Patrick Donnelly <pdonnell@ibm.com>
Date: Wed, 30 Jul 2025 02:31:05 +0000 (-0400)
Subject: PendingReleaseNotes: add note for cephx upgrade
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=628cbafbd84e757af37f84d92f953713979b20d5;p=ceph-ci.git

PendingReleaseNotes: add note for cephx upgrade

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/PendingReleaseNotes b/PendingReleaseNotes
index 6b0ec7cee75..3a641d12b37 100644
--- a/PendingReleaseNotes
+++ b/PendingReleaseNotes
@@ -17,9 +17,19 @@
   and the scrubbing process is delayed between each read in order to avoid monopolizing
   the I/O capacity of the OSD.
   The default stride size (``osd_deep_scrub_stride``) was 512 KBytes, and is now 4 MBytes.
+
 >=21.0.0
 
+* CephX: [CVE-2025-30156] a new key type ``aes256k`` has been introduced to address
+  vulnerabilities in the existing encryption schemes. It is necessary to
+  perform an upgrade of all CephX keys used by daemons or clients. Please see
+  :ref:`cephx-upgrade` for more information.
 * The ``auth_supported`` config has been removed.
+* The monitor map includes new settings relating to CephX: auth_service_cipher,
+  auth_allowed_ciphers, and auth_preferred_cipher. These are used to control
+  which CephX key types may be used in the cluster.
+* A new --key-type argument has been introduced for all commands which produce CephX keys. This includes monitor commands as well as Ceph cluster bootstrap commands like ceph-authtool and monmaptool.
+* The ``mon.`` credential is now authoritatively stored in the Monitor "auth" database. The monitor keyring file is only used as a fallback. The ``ceph-mon`` command now includes a --use-mon-keyring switch for recovery if the ``mon.`` key in the auth database is lost.
 
 >=20.0.0