A security issue fixed upstream in Ceph has been announced on April 14:
Mageia 8 is also affected.
Patches available from upstreamWhiteboard:
Thanks, I'll have a look and fix.
Bug fix release 15.2.11 landing in updates_testing, with the included security fixes as well as other bug fixes.
NB: Cauldron will follow, but I'd like to move to 16.0.* version on it.
Updated ceph packages fix security vulnerabilities CVE-2021-20288.
An authentication flaw was found in ceph. When the monitor handles
CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys,
allowing key reuse. An attacker who can request a global_id can exploit the
ability of any user to request a global_id previously associated with
another user, as ceph does not force the reuse of old keys to generate new
ones. The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.
Updated packages in core/updates_testing:
Patches available from upstream =>
QA last saw this in Bug 28538. While Len Lawrence gave it a valiant try, it was eventually concluded that testing this was beyond the scope of qa, so we passed it on the basis of a clean install. Doing the same thing here.
Installed the above packages and dependencies in a VirtualBox MGA8-64 Plasma guest, 148 packages in all. No installation issues. Used the package list from Comment 2 in qarepo, again with no installation issues.
Giving this a 64-bit OK, and validating. Advisory in Comment 2.
An update for this issue has been pushed to the Mageia Updates repository.