Bug 248673

Created attachment 217235 [details]
Upgrades diff, this time with correct sha1 ID

Forgot to update the final sha, which is compiled in for ceph -v

Comment 2 Kubilay Kocak 2020-08-16 02:20:45 UTC

^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval

Attachment -> Details -> maintainer-approval [+]

Also, If you could obsolete the prior patch that would be great

Additionally, the 14.2.10 changelog notes a security fix:

CVE-2020-10753: rgw: sanitize newlines in s3 CORSConfiguration’s ExposeHeader (William Bowling, Adam Mohammed, Casey Bodley)

If this .9 -> .11 cannot/shouldn't be merged to quarterly (it is a bugfix release), then a separate patch for .9 -> .10 should be produced such that that update can be committed first and merged to quarterly

I would opt for merging the .9 -> .11 update unless there is a good reason not to.

Pending security/VuXML entry

(In reply to Kubilay Kocak from comment #2)

Update patch 1 obsoletion, and maintainer approval.

Further I did not have time to import 14.2.10 when it was released.
So I more or less missed the release of that, including the CVE.

I hope that this patch can go in as one, since making it build in both ports and poudriere, and doing so basic QA takes quite some time.

From the pending, I conclude that I also need to add that CVE to security/VuXML??

Comment 4 Florian Smeets 2020-08-16 11:49:25 UTC

(In reply to Willem Jan Withagen from comment #3)
I'm with koobs here, we should just request MFH for the .11

If you could update the PR with vuxml diff that'd be great, otherwise I'll take care of that before committing.

Created attachment 217265 [details]
vuxml description for CVE-2020-20753

Describes the CVE which was fixed in Ceph 14.2.10

Comment 6 Jochen Neumeister 2020-08-16 18:05:21 UTC

Approved for 2020Q3

joneum (ports-secteam)

Comment 7 Florian Smeets 2020-08-16 20:12:13 UTC

(In reply to Willem Jan Withagen from comment #5)

With the patch in this PR I get build failures.

https://packages.smeets.xyz/logs/bulk/111amd64-ports-dev/2020-08-16_20h11m14s/logs/errors/ceph14-14.2.11.log
https://packages.smeets.xyz/logs/bulk/12amd64-ports-dev/2020-08-16_20h12m49s/logs/errors/ceph14-14.2.11.log

JAILNAME     VERSION                      ARCH          METHOD TIMESTAMP           PATH
111amd64     11.4-RELEASE                 amd64         ftp    2020-06-17 16:42:41 /usr/local/poudriere/jails/111amd64
12amd64      12.1-RELEASE-p6              amd64         ftp    2020-06-17 16:49:41 /usr/local/poudriere/jails/12amd64

(In reply to Florian Smeets from comment #7)

Arrrg, sorry about that

I send the diff the second time against the /usr/ports/ version, instead of what I had in poudriere.
That had the fix for repairing the odd way that the Linux version has incorporated libfmt....

I'll upload a new patch

Created attachment 217269 [details]
Upgrades diff, this time with extra files

Comment 10 Kubilay Kocak 2020-08-17 04:08:07 UTC

^Triage: Leave merge-quarterly flag open (?) until merge

Comment 11 commit-hook 2020-08-17 20:10:09 UTC

A commit references this bug:

Author: flo
Date: Mon Aug 17 20:10:05 UTC 2020
New revision: 545184
URL: https://svnweb.freebsd.org/changeset/ports/545184

Log:
  Document ceph vulnerability

  PR:		248673
  Submitted by:	Willem Jan Withagen <wjw@digiware.nl>

Changes:
  head/security/vuxml/vuln.xml

Comment 12 commit-hook 2020-08-17 20:16:11 UTC

A commit references this bug:

Author: flo
Date: Mon Aug 17 20:15:52 UTC 2020
New revision: 545185
URL: https://svnweb.freebsd.org/changeset/ports/545185

Log:
  Update to 14.2.11

  Release info:
  We're happy to announce the availability of the eleventh release in the
  Nautilus series. This release brings a number of bugfixes across all
  major components of Ceph. We recommend that all Nautilus users upgrade
  to this release.

  Notable Changes
  ---------------
  * RGW: The `radosgw-admin` sub-commands dealing with orphans --
    `radosgw-admin orphans find`, `radosgw-admin orphans finish`,
    `radosgw-admin orphans list-jobs` -- have been deprecated. They
    have not been actively maintained and they store intermediate
    results on the cluster, which could fill a nearly-full cluster.
    They have been replaced by a tool, currently considered
    experimental, `rgw-orphan-list`.

  * Now when noscrub and/or nodeep-scrub flags are set globally or per pool,
    scheduled scrubs of the type disabled will be aborted. All user initiated
    scrubs are NOT interrupted.

  * Fixed a ceph-osd crash in _committed_osd_maps when there is a failure to encode
    the first incremental map. issue#46443: https://github.com/ceph/ceph/pull/46443

  For the detailed changelog please refer to the blog entry at
  https://ceph.io/releases/v14-2-11-nautilus-released/

  PR:		248673
  Submitted by:	Willem Jan Withagen <wjw@digiware.nl>
  MFH:		2020Q3
  Security:	f20eb9a4-dfea-11ea-a9b8-9c5c8e84d621

Changes:
  head/net/ceph14/Makefile
  head/net/ceph14/distinfo
  head/net/ceph14/files/file-git_version
  head/net/ceph14/files/patch-src_msg_async_frames_v2.cc.diff
  head/net/ceph14/files/patch-src_rgw_rgw_lc.cc.diff
  head/net/ceph14/files/patch-src_rgw_rgw_main.cc.diff
  head/net/ceph14/pkg-plist

Comment 13 commit-hook 2020-08-17 20:20:13 UTC

A commit references this bug:

Author: flo
Date: Mon Aug 17 20:19:13 UTC 2020
New revision: 545186
URL: https://svnweb.freebsd.org/changeset/ports/545186

Log:
  MFH: r545185

  Update to 14.2.11

  Release info:
  We're happy to announce the availability of the eleventh release in the
  Nautilus series. This release brings a number of bugfixes across all
  major components of Ceph. We recommend that all Nautilus users upgrade
  to this release.

  Notable Changes
  ---------------
  * RGW: The `radosgw-admin` sub-commands dealing with orphans --
    `radosgw-admin orphans find`, `radosgw-admin orphans finish`,
    `radosgw-admin orphans list-jobs` -- have been deprecated. They
    have not been actively maintained and they store intermediate
    results on the cluster, which could fill a nearly-full cluster.
    They have been replaced by a tool, currently considered
    experimental, `rgw-orphan-list`.

  * Now when noscrub and/or nodeep-scrub flags are set globally or per pool,
    scheduled scrubs of the type disabled will be aborted. All user initiated
    scrubs are NOT interrupted.

  * Fixed a ceph-osd crash in _committed_osd_maps when there is a failure to encode
    the first incremental map. issue#46443: https://github.com/ceph/ceph/pull/46443

  For the detailed changelog please refer to the blog entry at
  https://ceph.io/releases/v14-2-11-nautilus-released/

  PR:		248673
  Submitted by:	Willem Jan Withagen <wjw@digiware.nl>
  Security:	f20eb9a4-dfea-11ea-a9b8-9c5c8e84d621
  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/net/ceph14/Makefile
  branches/2020Q3/net/ceph14/distinfo
  branches/2020Q3/net/ceph14/files/file-git_version
  branches/2020Q3/net/ceph14/files/patch-src_msg_async_frames_v2.cc.diff
  branches/2020Q3/net/ceph14/files/patch-src_rgw_rgw_lc.cc.diff
  branches/2020Q3/net/ceph14/files/patch-src_rgw_rgw_main.cc.diff
  branches/2020Q3/net/ceph14/pkg-plist