doc: 16.2.10 Release notes

Signed-off-by: David Galloway <dgallowa@redhat.com>
2025-01-01 08:32:24 +00:00 · 2022-07-21 12:45:45 -04:00 · 2022-07-21 12:45:45 -04:00 · 58320b2c69
commit 58320b2c69
parent 3b7bf3de9c
3 changed files with 38 additions and 0 deletions
--- a/doc/releases/index.rst
+++ b/doc/releases/index.rst
@ -67,6 +67,7 @@ Release timeline
 .. _17.2.2: quincy#v17-2-2-quincy

 .. _Pacific: pacific
+.. _16.2.10: pacific#v16-2-10-pacific
 .. _16.2.9: pacific#v16-2-9-pacific
 .. _16.2.8: pacific#v16-2-8-pacific
 .. _16.2.7: pacific#v16-2-7-pacific
--- a/doc/releases/pacific.rst
+++ b/doc/releases/pacific.rst
@ -2,6 +2,41 @@
 Pacific
 =======

+v16.2.10 Pacific
+================
+
+This is a hotfix release that resolves two security flaws.
+
+Notable Changes
+---------------
+* Users who were running OpenStack Manila to export native CephFS, who
+  upgraded their Ceph cluster from Nautilus (or earlier) to a later
+  major version, were vulnerable to an attack by malicious users. The
+  vulnerability allowed users to obtain access to arbitrary portions of
+  the CephFS filesystem hierarchy, instead of being properly restricted
+  to their own subvolumes. The vulnerability is due to a bug in the
+  "volumes" plugin in Ceph Manager. This plugin is responsible for
+  managing Ceph File System subvolumes which are used by OpenStack
+  Manila services as a way to provide shares to Manila users.
+  
+  With this hotfix, the vulnerability is fixed. Administrators who are
+  concerned they may have been impacted should audit the CephX keys in
+  their cluster for proper path restrictions.
+  
+  Again, this vulnerability only impacts OpenStack Manila clusters which
+  provided native CephFS access to their users.
+
+* A regression made it possible to dereference a null pointer for
+  for s3website requests that don't refer to a bucket resulting in an RGW
+  segfault.
+
+Changelog
+---------
+* mgr/volumes: Fix subvolume discover during upgrade (:ref:`CVE-2022-0670`, Kotresh HR)
+* mgr/volumes: V2 Fix for test_subvolume_retain_snapshot_invalid_recreate (:ref:`CVE-2022-0670`, Kotresh HR)
+* qa: validate subvolume discover on upgrade (Kotresh HR)
+* rgw: s3website check for bucket before retargeting (Seena Fallah)
+
 v16.2.9 Pacific
 ===============

--- a/doc/releases/releases.yml
+++ b/doc/releases/releases.yml
@ -25,6 +25,8 @@ releases:
  pacific:
    target_eol: 2023-06-01
    releases:
+      - version: 16.2.10
+        released: 2022-07-21
      - version: 16.2.9
        released: 2022-05-19
      - version: 16.2.8