From e65123b47921cc1d48d8ad79bc313f9028432d49 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Tue, 13 Apr 2021 12:52:58 -0500 Subject: [PATCH] doc/releases: add 14.2.20, 15.2.11 and 16.2.1 releases and notes Signed-off-by: Sage Weil --- doc/releases/nautilus.rst | 32 ++++++++++++++++++++++++++++++++ doc/releases/octopus.rst | 28 ++++++++++++++++++++++++++++ doc/releases/pacific.rst | 29 +++++++++++++++++++++++++++++ doc/releases/releases.yml | 6 ++++++ 4 files changed, 95 insertions(+) diff --git a/doc/releases/nautilus.rst b/doc/releases/nautilus.rst index 5dc4866654f..73b28ae33c7 100644 --- a/doc/releases/nautilus.rst +++ b/doc/releases/nautilus.rst @@ -6,6 +6,38 @@ Nautilus is the 14th stable release of Ceph. It is named after the nautilus, a family of cephalopods characterized by a whorled shell. +v14.2.20 Nautilus +================= + +This is the 20th bugfix release in the Nautilus stable series. It addresses a +security vulnerability in the Ceph authentication framework. + +We recommend all Nautilus users upgrade. + +Security fixes +-------------- + +* This release includes a security fix that ensures the global_id + value (a numeric value that should be unique for every authenticated + client or daemon in the cluster) is reclaimed after a network + disconnect or ticket renewal in a secure fashion. Two new health + alerts may appear during the upgrade indicating that there are + clients or daemons that are not yet patched with the appropriate + fix. + + It is possible to disable the health alerts around insecure clients:: + + ceph config set mon mon_warn_on_insecure_global_id_reclaim_allowed false + ceph config set mon auth_expose_insecure_global_id_reclaim false + + However, if you disable these alerts, we strongly recommend that you + follow up by removing these settings after clients have been + upgraded or after upgrading to Octopus. (Starting in Octopus, these + health alerts can be muted for a specific period of time.) + + For more information, see :ref:`CVE-2021-20288`. + + v14.2.19 Nautilus ================= diff --git a/doc/releases/octopus.rst b/doc/releases/octopus.rst index 5390662fbac..fd2e5e73510 100644 --- a/doc/releases/octopus.rst +++ b/doc/releases/octopus.rst @@ -6,6 +6,34 @@ Octopus is the 15th stable release of Ceph. It is named after an order of 8-limbed cephalopods. +v15.2.11 Octopus +================ + +This is the 11th bugfix release in the Octopus stable series. It addresses a +security vulnerability in the Ceph authentication framework. + +We recommend all Octopus users upgrade. + +Security fixes +-------------- + +* This release includes a security fix that ensures the global_id + value (a numeric value that should be unique for every authenticated + client or daemon in the cluster) is reclaimed after a network + disconnect or ticket renewal in a secure fashion. Two new health + alerts may appear during the upgrade indicating that there are + clients or daemons that are not yet patched with the appropriate + fix. + + To temporarily mute the health alerts around insecure clients for the duration of the + upgrade, you may want to:: + + ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM 1h + ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED 1h + + For more information, see :ref:`CVE-2021-20288`. + + v15.2.10 Octopus ================ diff --git a/doc/releases/pacific.rst b/doc/releases/pacific.rst index 9207f50aa0b..6b5c02066c5 100644 --- a/doc/releases/pacific.rst +++ b/doc/releases/pacific.rst @@ -6,6 +6,35 @@ Pacific is the 16th stable release of Ceph. It is named after the giant pacific octopus (Enteroctopus dofleini). +v16.2.1 Pacific +=============== + +This is the first bugfix release in the Pacific stable series. It addresses a +security vulnerability in the Ceph authentication framework. + +We recommend all Pacific users upgrade. + +Security fixes +-------------- + +* This release includes a security fix that ensures the global_id + value (a numeric value that should be unique for every authenticated + client or daemon in the cluster) is reclaimed after a network + disconnect or ticket renewal in a secure fashion. Two new health + alerts may appear during the upgrade indicating that there are + clients or daemons that are not yet patched with the appropriate + fix. + + To temporarily mute the health alerts around insecure clients for the duration of the + upgrade, you may want to:: + + ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM 1h + ceph health mute AUTH_INSECURE_GLOBAL_ID_RECLAIM_ALLOWED 1h + + For more information, see :ref:`CVE-2021-20288`. + + + v16.2.0 Pacific =============== diff --git a/doc/releases/releases.yml b/doc/releases/releases.yml index 1c6e2a0f62d..03ce01e2212 100644 --- a/doc/releases/releases.yml +++ b/doc/releases/releases.yml @@ -15,12 +15,16 @@ releases: pacific: target_eol: 2023-06-01 releases: + - version: 16.2.1 + released: 2021-04-19 - version: 16.2.0 released: 2021-03-31 octopus: target_eol: 2022-06-01 releases: + - version: 15.2.11 + released: 2021-04-19 - version: 15.2.10 released: 2021-03-18 - version: 15.2.9 @@ -47,6 +51,8 @@ releases: nautilus: target_eol: 2021-06-01 releases: + - version: 14.2.20 + released: 2021-04-19 - version: 14.2.19 released: 2021-03-30 - version: 14.2.18