[Nix-dev] Calling All Ceph Users: Ceph Needs a Maintainer

Graham Christensen graham at grahamc.com
Wed Dec 28 23:37:26 CET 2016


Hello Nixies!

A CVE has been issued for Ceph: CVE-2016-5009

> The handle_command function in mon/Monitor.cc in Ceph allows remote
> authenticated users to cause a denial of service (segmentation fault
> and ceph monitor crash) via an (1) empty or (2) crafted prefix.

(More: https://lwn.net/Vulnerabilities/709844/)

and it looks like our version hasn't been maintained in over a year now.
Added to that, no other distros seem to use what we're on. This makes it
difficult to patch what we have, and it being so old means Ceph probably
won't be releasing an update for it.

Our version of Ceph being so old also hints to me nobody is using it.

If that is the case, I'll mark it as broken.

If not, it would be very good for someone to step up as a maintainer. Is
that you? If so -- please check out the vulnerability roundup:
https://github.com/NixOS/nixpkgs/issues/21457

Thank you,
Graham


More information about the nix-dev mailing list