From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <1544048717.2867.17.camel@codethink.co.uk> Subject: Re: Patch "libceph: implement CEPHX_V2 calculation mode" has been added to the 4.14-stable tree From: Ben Hutchings To: Sasha Levin , Ilya Dryomov Cc: stable-commits@vger.kernel.org, stable@vger.kernel.org Date: Wed, 05 Dec 2018 22:25:17 +0000 In-Reply-To: <20181203161632.GK235790@sasha-vm> References: <20181202155105.CA3F220851@mail.kernel.org> <20181203152602.GH235790@sasha-vm> <20181203161632.GK235790@sasha-vm> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit List-ID: On Mon, 2018-12-03 at 11:16 -0500, Sasha Levin wrote: > On Mon, Dec 03, 2018 at 04:32:18PM +0100, Ilya Dryomov wrote: > > On Mon, Dec 3, 2018 at 4:26 PM Sasha Levin wrote: > > > > > > + Ben > > > > > > On Mon, Dec 03, 2018 at 12:09:25PM +0100, Ilya Dryomov wrote: [...] > > > > The CVEs mentioned in this series are server side and CEPHX_V2 is > > > > probably more of a new feature than a security fix.  That said, I don't > > > > object to including it in 4.14.z.  If you do, please pick up the > > > > remaining two patches for interoperability: > > > > > > > > f1d10e046379 libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() > > > > 130f52f2b203 libceph: check authorizer reply/challenge length before reading > > > > > > Would I be pulling this patch if it didn't have the string > > > "CVE-2018-1129" in the commit message? > > > > Well, I didn't mark this series for stable, so probably not. > > Alrighty, thanks. > > Ben, any objections to dropping this patch? My understanding is that while the security impact is on the server side, an unpatched client won't be able to authenticate to a patched server. Assuming that is correct, this change seems to fit the stable rules. Ben. -- Ben Hutchings, Software Developer   Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom