From 3b7bf3de9c9427a09636db06d01302d84230b932 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Thu, 21 Jul 2022 12:43:59 -0400 Subject: [PATCH] doc: 17.2.2 Release notes Signed-off-by: David Galloway --- doc/releases/index.rst | 1 + doc/releases/quincy.rst | 35 +++++++++++++++++++++++++++++++++++ doc/releases/releases.yml | 3 ++- 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/doc/releases/index.rst b/doc/releases/index.rst index dbb5a6f296939..bd0db5818956b 100644 --- a/doc/releases/index.rst +++ b/doc/releases/index.rst @@ -64,6 +64,7 @@ Release timeline .. _Quincy: quincy .. _17.2.0: quincy#v17-2-0-quincy .. _17.2.1: quincy#v17-2-1-quincy +.. _17.2.2: quincy#v17-2-2-quincy .. _Pacific: pacific .. _16.2.9: pacific#v16-2-9-pacific diff --git a/doc/releases/quincy.rst b/doc/releases/quincy.rst index 15cffb0081df2..31b64c6b55ac3 100644 --- a/doc/releases/quincy.rst +++ b/doc/releases/quincy.rst @@ -5,6 +5,41 @@ Quincy Quincy is the 17th stable release of Ceph. It is named after Squidward Quincy Tentacles from Spongebob Squarepants. +v17.2.2 Quincy +============== + +This is a hotfix release that resolves two security flaws. + +Notable Changes +--------------- +* Users who were running OpenStack Manila to export native CephFS, who + upgraded their Ceph cluster from Nautilus (or earlier) to a later + major version, were vulnerable to an attack by malicious users. The + vulnerability allowed users to obtain access to arbitrary portions of + the CephFS filesystem hierarchy, instead of being properly restricted + to their own subvolumes. The vulnerability is due to a bug in the + "volumes" plugin in Ceph Manager. This plugin is responsible for + managing Ceph File System subvolumes which are used by OpenStack + Manila services as a way to provide shares to Manila users. + + With this hotfix, the vulnerability is fixed. Administrators who are + concerned they may have been impacted should audit the CephX keys in + their cluster for proper path restrictions. + + Again, this vulnerability only impacts OpenStack Manila clusters which + provided native CephFS access to their users. + +* A regression made it possible to dereference a null pointer for + for s3website requests that don't refer to a bucket resulting in an RGW + segfault. + +Changelog +--------- +* mgr/volumes: Fix subvolume discover during upgrade (:ref:`CVE-2022-0670`, Kotresh HR) +* mgr/volumes: V2 Fix for test_subvolume_retain_snapshot_invalid_recreate (:ref:`CVE-2022-0670`, Kotresh HR) +* qa: validate subvolume discover on upgrade (Kotresh HR) +* rgw: s3website check for bucket before retargeting (Seena Fallah) + v17.2.1 Quincy ============== diff --git a/doc/releases/releases.yml b/doc/releases/releases.yml index 7fb1ed68124c3..ed05b2d9a4d24 100644 --- a/doc/releases/releases.yml +++ b/doc/releases/releases.yml @@ -17,9 +17,10 @@ releases: releases: - version: 17.2.0 released: 2022-04-19 - releases: - version: 17.2.1 released: 2022-06-23 + - version: 17.2.2 + released: 2022-07-21 pacific: target_eol: 2023-06-01 -- 2.39.5