Comment 8 for bug 1904015

Hello all,

Thank you for your patience with this issue. This morning, we finished our embargo period on this bug. MITRE will be notified about the patch submissions to the Ceph project - at which point the CVE page [1] will be available publicly. These are the associated patch links:

Ceph Octopus: https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05
Ceph Nautilus: https://github.com/ceph/ceph/commit/7e3e4e73783a98bb07ab399438eb3aab41a6fc8b
Ceph Luminous: https://github.com/ceph/ceph/commit/956ceb853a58f6b6847b31fac34f2f0228a70579

You will see these show up in releases of Ceph Octopus and Ceph Nautilus. The patch to Luminous has been provided for courtesy, the ceph community no longer produces updates for that release. Please see the Ceph Release Guide for more information on the Ceph release train [2].

I'm now converting this bug to "Public", and since there are no changes to OpenStack Manila code that are necessary, you will see me publishing a security note to the mailing lists with details about this vulnerability and recommendations.

The OpenStack Security Note is under review here: https://review.opendev.org/767417

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27781
[2] https://docs.ceph.com/en/latest/releases/general/