doc/releases/mimic: v13.2.4 #25793
Merged
doc/releases/mimic: v13.2.4 #25793
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Henceforth, we'll require explicit `allow` caps for commands, or for the config-key service. Blanket caps are no longer allowed for the config-key service, except for 'allow *'. Signed-off-by: Joao Eduardo Luis <joao@suse.de>
RGW S3 listing operations provided a way for authenticated users to cause a denial of service against OMAPs holding bucket indices. Bound the min & max values that a user could pass into the max-X parameters, to keep the system safe. The default of 1000 is chosen to match AWS S3 behavior. Affected operations: - ListBucket, via max-keys - ListBucketVersions, via max-keys - ListBucketMultiPartUploads, via max-uploads - ListMultipartUploadParts, via max-parts The Swift bucket listing codepath already enforced a limit, so is unaffected by this issue. Prior to this commit, the effective limit is the lower of osd_max_omap_entries_per_request or osd_max_omap_bytes_per_request. Backport: luminous, mimic Fixes: http://tracker.ceph.com/issues/35994 Signed-off-by: Robin H. Johnson <rjohnson@digitalocean.com>
The patch to enforce bounds on max-keys/max-uploads/max-parts had a few issues that would prevent us from compiling it. Instead of changing the code provided by the submitter, we're addressing them in a separate commit to maintain the DCO. Signed-off-by: Joao Eduardo Luis <joao@suse.de>
djgalloway
approved these changes
Jan 4, 2019
Signed-off-by: Sage Weil <sage@redhat.com>
gregsfortytwo
approved these changes
Jan 4, 2019
There was a problem hiding this comment.
I'm not real familiar with the tests, but looks fine!
Reviewed-by: Greg Farnum gfarnum@redhat.com
liewegas
added a commit
that referenced
this pull request
Jan 4, 2019
* refs/pull/25793/head: Merge remote-tracking branch 'private/wip-mon-kv-fix' into wip-mimic-4 Merge remote-tracking branch 'private/wip-rgw-max-keys' into wip-mimic-4 doc/releases/mimic: v13.2.4 rgw: fix issues with 'enforce bounds' patch rgw: enforce bounds on max-keys/max-uploads/max-parts mon/config-key: limit caps allowed to access the store Reviewed-by: Gregory Farnum <gfarnum@redhat.com> Reviewed-by: David Galloway <dgallowa@redhat.com> Reviewed-by: Greg Farnum <gfarnum@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Sage Weil sage@redhat.com
CVE-2018-14662
CVE-2018-16846