On Tue, Apr 20, 2021 at 2:01 AM David Galloway <dgallowa(a)redhat.com> wrote:
This is the 20th bugfix release in the Nautilus stable series. It
addresses a security vulnerability in the Ceph authentication framework.
We recommend users to update to this release. For a detailed release
notes with links & changelog please refer to the official blog entry at
https://ceph.io/releases/v14-2-20-nautilus-released
Security Fixes
--------------
* This release includes a security fix that ensures the global_id value
(a numeric value that should be unique for every authenticated client or
daemon in the cluster) is reclaimed after a network disconnect or ticket
renewal in a secure fashion. Two new health alerts may appear during
the upgrade indicating that there are clients or daemons that are not
yet patched with the appropriate fix.
The link in the blog entry should point at
https://docs.ceph.com/en/latest/security/CVE-2021-20288/
Please refer there for details and recommendations.
Thanks,
Ilya