From b8aa31c8c97dd10ac4df8d71d36d927c4e8b6d6d Mon Sep 17 00:00:00 2001 From: "sakib.sajal@windriver.com" Date: Wed, 23 Dec 2020 15:39:16 -0500 Subject: ceph: uprev v15.2.0 -> v15.2.8 Removed patches that are contained in newer version. Contains fixes to CVES: CVE-2020-27781 CVE 2020-25660 CVE-2020-10753 CVE-2020-10736 CVE-2020-1759 CVE-2020-1760 Built and run tested. Signed-off-by: Sakib Sajal Signed-off-by: Bruce Ashfield --- ...re-all-caps-for-pre-octopus-tell-commands.patch | 100 -------- ...rotocolV2-avoid-AES-GCM-nonce-reuse-vulne.patch | 256 --------------------- ...c-crypto_onwire-fix-endianness-of-nonce_t.patch | 61 ----- .../0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch | 33 --- ...control-characters-in-response-header-act.patch | 64 ------ ...t-unauthenticated-response-header-actions.patch | 36 --- ...-caps-for-pre-octopus-client-tell-command.patch | 95 -------- ...ndingReleaseNotes-note-about-security-fix.patch | 31 --- recipes-extended/ceph/ceph_15.2.0.bb | 153 ------------ recipes-extended/ceph/ceph_15.2.8.bb | 145 ++++++++++++ 10 files changed, 145 insertions(+), 829 deletions(-) delete mode 100644 recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch delete mode 100644 recipes-extended/ceph/ceph/0001-msg-async-ProtocolV2-avoid-AES-GCM-nonce-reuse-vulne.patch delete mode 100644 recipes-extended/ceph/ceph/0001-msg-async-crypto_onwire-fix-endianness-of-nonce_t.patch delete mode 100644 recipes-extended/ceph/ceph/0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch delete mode 100644 recipes-extended/ceph/ceph/0001-rgw-reject-control-characters-in-response-header-act.patch delete mode 100644 recipes-extended/ceph/ceph/0001-rgw-reject-unauthenticated-response-header-actions.patch delete mode 100644 recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch delete mode 100644 recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch delete mode 100644 recipes-extended/ceph/ceph_15.2.0.bb create mode 100644 recipes-extended/ceph/ceph_15.2.8.bb diff --git a/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch b/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch deleted file mode 100644 index de191bf8..00000000 --- a/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch +++ /dev/null @@ -1,100 +0,0 @@ -From de67c1dab5597c91538970421b25f6ec667af492 Mon Sep 17 00:00:00 2001 -From: Josh Durgin -Date: Mon, 4 May 2020 17:03:35 -0400 -Subject: [PATCH 1/3] mgr: require all caps for pre-octopus tell commands - -This matches the requirements for admin socket commands -sent via tell elsewhere. - -Signed-off-by: Josh Durgin - -Upstream-status: Backport -[https://github.com/ceph/ceph/commit/347003e13167c428187a5450517850f4d85e09ad] - -Signed-off-by: Liu Haitao ---- - src/mgr/DaemonServer.cc | 37 ++++++++++++++++++++++--------------- - 1 file changed, 22 insertions(+), 15 deletions(-) - -diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc -index becd428a..527326e3 100644 ---- a/src/mgr/DaemonServer.cc -+++ b/src/mgr/DaemonServer.cc -@@ -808,20 +808,12 @@ public: - bool DaemonServer::handle_command(const ref_t& m) - { - std::lock_guard l(lock); -- // a blank fsid in MCommand signals a legacy client sending a "mon-mgr" CLI -- // command. -- if (m->fsid != uuid_d()) { -- cct->get_admin_socket()->queue_tell_command(m); -+ auto cmdctx = std::make_shared(m); -+ try { -+ return _handle_command(cmdctx); -+ } catch (const bad_cmd_get& e) { -+ cmdctx->reply(-EINVAL, e.what()); - return true; -- } else { -- // legacy client; send to CLI processing -- auto cmdctx = std::make_shared(m); -- try { -- return _handle_command(cmdctx); -- } catch (const bad_cmd_get& e) { -- cmdctx->reply(-EINVAL, e.what()); -- return true; -- } - } - } - -@@ -853,8 +845,12 @@ bool DaemonServer::_handle_command( - std::shared_ptr& cmdctx) - { - MessageRef m; -+ bool admin_socket_cmd = false; - if (cmdctx->m_tell) { - m = cmdctx->m_tell; -+ // a blank fsid in MCommand signals a legacy client sending a "mon-mgr" CLI -+ // command. -+ admin_socket_cmd = (cmdctx->m_tell->fsid != uuid_d()); - } else { - m = cmdctx->m_mgr; - } -@@ -888,7 +884,10 @@ bool DaemonServer::_handle_command( - - dout(10) << "decoded-size=" << cmdctx->cmdmap.size() << " prefix=" << prefix << dendl; - -- if (prefix == "get_command_descriptions") { -+ // this is just for mgr commands - admin socket commands will fall -+ // through and use the admin socket version of -+ // get_command_descriptions -+ if (prefix == "get_command_descriptions" && !admin_socket_cmd) { - dout(10) << "reading commands from python modules" << dendl; - const auto py_commands = py_modules.get_commands(); - -@@ -925,7 +924,10 @@ bool DaemonServer::_handle_command( - - bool is_allowed = false; - ModuleCommand py_command; -- if (!mgr_cmd) { -+ if (admin_socket_cmd) { -+ // admin socket commands require all capabilities -+ is_allowed = session->caps.is_allow_all(); -+ } else if (!mgr_cmd) { - // Resolve the command to the name of the module that will - // handle it (if the command exists) - auto py_commands = py_modules.get_py_commands(); -@@ -958,6 +960,11 @@ bool DaemonServer::_handle_command( - << "entity='" << session->entity_name << "' " - << "cmd=" << cmdctx->cmd << ": dispatch"; - -+ if (admin_socket_cmd) { -+ cct->get_admin_socket()->queue_tell_command(cmdctx->m_tell); -+ return true; -+ } -+ - // ---------------- - // service map commands - if (prefix == "service dump") { --- -2.25.1 - diff --git a/recipes-extended/ceph/ceph/0001-msg-async-ProtocolV2-avoid-AES-GCM-nonce-reuse-vulne.patch b/recipes-extended/ceph/ceph/0001-msg-async-ProtocolV2-avoid-AES-GCM-nonce-reuse-vulne.patch deleted file mode 100644 index 54156698..00000000 --- a/recipes-extended/ceph/ceph/0001-msg-async-ProtocolV2-avoid-AES-GCM-nonce-reuse-vulne.patch +++ /dev/null @@ -1,256 +0,0 @@ -From 20b7bb685c5ea74c651ca1ea547ac66b0fee7035 Mon Sep 17 00:00:00 2001 -From: Ilya Dryomov -Date: Fri, 6 Mar 2020 20:16:45 +0100 -Subject: [PATCH] msg/async/ProtocolV2: avoid AES-GCM nonce reuse - vulnerabilities - -The secure mode uses AES-128-GCM with 96-bit nonces consisting of a -32-bit counter followed by a 64-bit salt. The counter is incremented -after processing each frame, the salt is fixed for the duration of -the session. Both are initialized from the session key generated -during session negotiation, so the counter starts with essentially -a random value. It is allowed to wrap, and, after 2**32 frames, it -repeats, resulting in nonce reuse (the actual sequence numbers that -the messenger works with are 64-bit, so the session continues on). - -Because of how GCM works, this completely breaks both confidentiality -and integrity aspects of the secure mode. A single nonce reuse reveals -the XOR of two plaintexts and almost completely reveals the subkey -used for producing authentication tags. After a few nonces get used -twice, all confidentiality and integrity goes out the window and the -attacker can potentially encrypt-authenticate plaintext of their -choice. - -We can't easily change the nonce format to extend the counter to -64 bits (and possibly XOR it with a longer salt). Instead, just -remember the initial nonce and cut the session before it repeats, -forcing renegotiation. - -Signed-off-by: Ilya Dryomov -Reviewed-by: Radoslaw Zarzynski -Reviewed-by: Sage Weil - -Conflicts: - src/msg/async/ProtocolV2.h [ context: commit ed3ec4c01d17 - ("msg: Build target 'common' without using namespace in - headers") not in octopus ] - -CVE: CVE-2020-1759 -Upstream Status: Backport [20b7bb685c5ea74c651ca1ea547ac66b0fee7035] - -Signed-off-by: Sakib Sajal ---- - src/msg/async/ProtocolV2.cc | 62 ++++++++++++++++++++++++---------- - src/msg/async/ProtocolV2.h | 5 +-- - src/msg/async/crypto_onwire.cc | 17 ++++++++-- - src/msg/async/crypto_onwire.h | 5 +++ - 4 files changed, 67 insertions(+), 22 deletions(-) - -diff --git a/src/msg/async/ProtocolV2.cc b/src/msg/async/ProtocolV2.cc -index 8fc02db6e5..c69f2ccf79 100644 ---- a/src/msg/async/ProtocolV2.cc -+++ b/src/msg/async/ProtocolV2.cc -@@ -533,7 +533,10 @@ ssize_t ProtocolV2::write_message(Message *m, bool more) { - m->get_payload(), - m->get_middle(), - m->get_data()); -- connection->outgoing_bl.append(message.get_buffer(session_stream_handlers)); -+ if (!append_frame(message)) { -+ m->put(); -+ return -EILSEQ; -+ } - - ldout(cct, 5) << __func__ << " sending message m=" << m - << " seq=" << m->get_seq() << " " << *m << dendl; -@@ -566,15 +569,17 @@ ssize_t ProtocolV2::write_message(Message *m, bool more) { - return rc; - } - --void ProtocolV2::append_keepalive() { -- ldout(cct, 10) << __func__ << dendl; -- auto keepalive_frame = KeepAliveFrame::Encode(); -- connection->outgoing_bl.append(keepalive_frame.get_buffer(session_stream_handlers)); --} -- --void ProtocolV2::append_keepalive_ack(utime_t ×tamp) { -- auto keepalive_ack_frame = KeepAliveFrameAck::Encode(timestamp); -- connection->outgoing_bl.append(keepalive_ack_frame.get_buffer(session_stream_handlers)); -+template -+bool ProtocolV2::append_frame(F& frame) { -+ ceph::bufferlist bl; -+ try { -+ bl = frame.get_buffer(session_stream_handlers); -+ } catch (ceph::crypto::onwire::TxHandlerError &e) { -+ ldout(cct, 1) << __func__ << " " << e.what() << dendl; -+ return false; -+ } -+ connection->outgoing_bl.append(bl); -+ return true; - } - - void ProtocolV2::handle_message_ack(uint64_t seq) { -@@ -612,7 +617,15 @@ void ProtocolV2::write_event() { - connection->write_lock.lock(); - if (can_write) { - if (keepalive) { -- append_keepalive(); -+ ldout(cct, 10) << __func__ << " appending keepalive" << dendl; -+ auto keepalive_frame = KeepAliveFrame::Encode(); -+ if (!append_frame(keepalive_frame)) { -+ connection->write_lock.unlock(); -+ connection->lock.lock(); -+ fault(); -+ connection->lock.unlock(); -+ return; -+ } - keepalive = false; - } - -@@ -663,13 +676,16 @@ void ProtocolV2::write_event() { - if (r == 0) { - uint64_t left = ack_left; - if (left) { -- auto ack = AckFrame::Encode(in_seq); -- connection->outgoing_bl.append(ack.get_buffer(session_stream_handlers)); - ldout(cct, 10) << __func__ << " try send msg ack, acked " << left - << " messages" << dendl; -- ack_left -= left; -- left = ack_left; -- r = connection->_try_send(left); -+ auto ack_frame = AckFrame::Encode(in_seq); -+ if (append_frame(ack_frame)) { -+ ack_left -= left; -+ left = ack_left; -+ r = connection->_try_send(left); -+ } else { -+ r = -EILSEQ; -+ } - } else if (is_queued()) { - r = connection->_try_send(); - } -@@ -769,7 +785,13 @@ template - CtPtr ProtocolV2::write(const std::string &desc, - CONTINUATION_TYPE &next, - F &frame) { -- ceph::bufferlist bl = frame.get_buffer(session_stream_handlers); -+ ceph::bufferlist bl; -+ try { -+ bl = frame.get_buffer(session_stream_handlers); -+ } catch (ceph::crypto::onwire::TxHandlerError &e) { -+ ldout(cct, 1) << __func__ << " " << e.what() << dendl; -+ return _fault(); -+ } - return write(desc, next, bl); - } - -@@ -1672,7 +1694,11 @@ CtPtr ProtocolV2::handle_keepalive2(ceph::bufferlist &payload) - ldout(cct, 30) << __func__ << " got KEEPALIVE2 tag ..." << dendl; - - connection->write_lock.lock(); -- append_keepalive_ack(keepalive_frame.timestamp()); -+ auto keepalive_ack_frame = KeepAliveFrameAck::Encode(keepalive_frame.timestamp()); -+ if (!append_frame(keepalive_ack_frame)) { -+ connection->write_lock.unlock(); -+ return _fault(); -+ } - connection->write_lock.unlock(); - - ldout(cct, 20) << __func__ << " got KEEPALIVE2 " -diff --git a/src/msg/async/ProtocolV2.h b/src/msg/async/ProtocolV2.h -index 2dbe647ae5..9897d18cf2 100644 ---- a/src/msg/async/ProtocolV2.h -+++ b/src/msg/async/ProtocolV2.h -@@ -129,6 +129,9 @@ private: - CONTINUATION_TYPE &next, - bufferlist &buffer); - -+ template -+ bool append_frame(F& frame); -+ - void requeue_sent(); - uint64_t discard_requeued_up_to(uint64_t out_seq, uint64_t seq); - void reset_recv_state(); -@@ -140,8 +143,6 @@ private: - void prepare_send_message(uint64_t features, Message *m); - out_queue_entry_t _get_next_outgoing(); - ssize_t write_message(Message *m, bool more); -- void append_keepalive(); -- void append_keepalive_ack(utime_t ×tamp); - void handle_message_ack(uint64_t seq); - - CONTINUATION_DECL(ProtocolV2, _wait_for_peer_banner); -diff --git a/src/msg/async/crypto_onwire.cc b/src/msg/async/crypto_onwire.cc -index acf3f66689..07e7fe6553 100644 ---- a/src/msg/async/crypto_onwire.cc -+++ b/src/msg/async/crypto_onwire.cc -@@ -22,6 +22,10 @@ static constexpr const std::size_t AESGCM_BLOCK_LEN{16}; - struct nonce_t { - std::uint32_t random_seq; - std::uint64_t random_rest; -+ -+ bool operator==(const nonce_t& rhs) const { -+ return !memcmp(this, &rhs, sizeof(*this)); -+ } - } __attribute__((packed)); - static_assert(sizeof(nonce_t) == AESGCM_IV_LEN); - -@@ -35,7 +39,8 @@ class AES128GCM_OnWireTxHandler : public ceph::crypto::onwire::TxHandler { - CephContext* const cct; - std::unique_ptr ectx; - ceph::bufferlist buffer; -- nonce_t nonce; -+ nonce_t nonce, initial_nonce; -+ bool used_initial_nonce; - static_assert(sizeof(nonce) == AESGCM_IV_LEN); - - public: -@@ -44,7 +49,7 @@ public: - const nonce_t& nonce) - : cct(cct), - ectx(EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free), -- nonce(nonce) { -+ nonce(nonce), initial_nonce(nonce), used_initial_nonce(false) { - ceph_assert_always(ectx); - ceph_assert_always(key.size() * CHAR_BIT == 128); - -@@ -61,6 +66,7 @@ public: - - ~AES128GCM_OnWireTxHandler() override { - ::ceph::crypto::zeroize_for_security(&nonce, sizeof(nonce)); -+ ::ceph::crypto::zeroize_for_security(&initial_nonce, sizeof(initial_nonce)); - } - - std::uint32_t calculate_segment_size(std::uint32_t size) override -@@ -78,6 +84,13 @@ public: - void AES128GCM_OnWireTxHandler::reset_tx_handler( - std::initializer_list update_size_sequence) - { -+ if (nonce == initial_nonce) { -+ if (used_initial_nonce) { -+ throw ceph::crypto::onwire::TxHandlerError("out of nonces"); -+ } -+ used_initial_nonce = true; -+ } -+ - if(1 != EVP_EncryptInit_ex(ectx.get(), nullptr, nullptr, nullptr, - reinterpret_cast(&nonce))) { - throw std::runtime_error("EVP_EncryptInit_ex failed"); -diff --git a/src/msg/async/crypto_onwire.h b/src/msg/async/crypto_onwire.h -index bd682e8c71..0c544f205a 100644 ---- a/src/msg/async/crypto_onwire.h -+++ b/src/msg/async/crypto_onwire.h -@@ -45,6 +45,11 @@ struct MsgAuthError : public std::runtime_error { - } - }; - -+struct TxHandlerError : public std::runtime_error { -+ TxHandlerError(const char* what) -+ : std::runtime_error(std::string("tx handler error: ") + what) {} -+}; -+ - struct TxHandler { - virtual ~TxHandler() = default; - --- -2.20.1 - diff --git a/recipes-extended/ceph/ceph/0001-msg-async-crypto_onwire-fix-endianness-of-nonce_t.patch b/recipes-extended/ceph/ceph/0001-msg-async-crypto_onwire-fix-endianness-of-nonce_t.patch deleted file mode 100644 index ad8a2055..00000000 --- a/recipes-extended/ceph/ceph/0001-msg-async-crypto_onwire-fix-endianness-of-nonce_t.patch +++ /dev/null @@ -1,61 +0,0 @@ -From dfd1d81cec62e21e21696dc87d4db5f920e51a67 Mon Sep 17 00:00:00 2001 -From: Ilya Dryomov -Date: Fri, 6 Mar 2020 20:16:45 +0100 -Subject: [PATCH] msg/async/crypto_onwire: fix endianness of nonce_t - -As a AES-GCM IV, nonce_t is implicitly shared between server and -client. Currently, if their endianness doesn't match, they are unable -to communicate in secure mode because each gets its own idea of what -the next nonce should be after the counter is incremented. - -Several RFCs state that the nonce counter should be BE, but since we -use LE for everything on-disk and on-wire, make it LE. - -Signed-off-by: Ilya Dryomov -Reviewed-by: Radoslaw Zarzynski -Reviewed-by: Sage Weil - -CVE: CVE-2020-1759 -Upstream Status: Backport [dfd1d81cec62e21e21696dc87d4db5f920e51a67] - -Signed-off-by: Sakib Sajal ---- - src/msg/async/crypto_onwire.cc | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/msg/async/crypto_onwire.cc b/src/msg/async/crypto_onwire.cc -index 07e7fe6553..c39632cbd6 100644 ---- a/src/msg/async/crypto_onwire.cc -+++ b/src/msg/async/crypto_onwire.cc -@@ -20,8 +20,8 @@ static constexpr const std::size_t AESGCM_TAG_LEN{16}; - static constexpr const std::size_t AESGCM_BLOCK_LEN{16}; - - struct nonce_t { -- std::uint32_t random_seq; -- std::uint64_t random_rest; -+ ceph_le32 random_seq; -+ ceph_le64 random_rest; - - bool operator==(const nonce_t& rhs) const { - return !memcmp(this, &rhs, sizeof(*this)); -@@ -99,7 +99,7 @@ void AES128GCM_OnWireTxHandler::reset_tx_handler( - buffer.reserve(std::accumulate(std::begin(update_size_sequence), - std::end(update_size_sequence), AESGCM_TAG_LEN)); - -- ++nonce.random_seq; -+ nonce.random_seq = nonce.random_seq + 1; - } - - void AES128GCM_OnWireTxHandler::authenticated_encrypt_update( -@@ -204,7 +204,7 @@ void AES128GCM_OnWireRxHandler::reset_rx_handler() - reinterpret_cast(&nonce))) { - throw std::runtime_error("EVP_DecryptInit_ex failed"); - } -- ++nonce.random_seq; -+ nonce.random_seq = nonce.random_seq + 1; - } - - ceph::bufferlist AES128GCM_OnWireRxHandler::authenticated_decrypt_update( --- -2.20.1 - diff --git a/recipes-extended/ceph/ceph/0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch b/recipes-extended/ceph/ceph/0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch deleted file mode 100644 index 30906d7c..00000000 --- a/recipes-extended/ceph/ceph/0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 92da834cababc4dddd5dbbab5837310478d1e6d4 Mon Sep 17 00:00:00 2001 -From: Abhishek Lekshmanan -Date: Fri, 27 Mar 2020 19:29:01 +0100 -Subject: [PATCH] rgw: EPERM to ERR_INVALID_REQUEST - -As per Robin's comments and S3 spec - -Signed-off-by: Abhishek Lekshmanan - -CVE: CVE-2020-1760 -Upstream Status: Backport [92da834cababc4dddd5dbbab5837310478d1e6d4] - -Signed-off-by: Sakib Sajal ---- - src/rgw/rgw_rest_s3.cc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc -index 1bfc8312de..f13ae23dd6 100644 ---- a/src/rgw/rgw_rest_s3.cc -+++ b/src/rgw/rgw_rest_s3.cc -@@ -301,7 +301,7 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, - /* reject unauthenticated response header manipulation, see - * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */ - if (s->auth.identity->is_anonymous()) { -- return -EPERM; -+ return -ERR_INVALID_REQUEST; - } - if (strcmp(p->param, "response-content-type") != 0) { - response_attrs[p->http_attr] = val; --- -2.20.1 - diff --git a/recipes-extended/ceph/ceph/0001-rgw-reject-control-characters-in-response-header-act.patch b/recipes-extended/ceph/ceph/0001-rgw-reject-control-characters-in-response-header-act.patch deleted file mode 100644 index af0fc79a..00000000 --- a/recipes-extended/ceph/ceph/0001-rgw-reject-control-characters-in-response-header-act.patch +++ /dev/null @@ -1,64 +0,0 @@ -From be7679007c3dfab3e19c22c38c36ccac91828e3b Mon Sep 17 00:00:00 2001 -From: "Robin H. Johnson" -Date: Fri, 27 Mar 2020 20:48:13 +0100 -Subject: [PATCH] rgw: reject control characters in response-header actions - -S3 GetObject permits overriding response header values, but those inputs -need to be validated to insure only characters that are valid in an HTTP -header value are present. - -Credit: Initial vulnerability discovery by William Bowling (@wcbowling) -Credit: Further vulnerability discovery by Robin H. Johnson -Signed-off-by: Robin H. Johnson - -CVE: CVE-2020-1760 -Upstream Status: Backport [be7679007c3dfab3e19c22c38c36ccac91828e3b] - -Signed-off-by: Sakib Sajal ---- - src/rgw/rgw_rest_s3.cc | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc -index f13ae23dd6..0de040968c 100644 ---- a/src/rgw/rgw_rest_s3.cc -+++ b/src/rgw/rgw_rest_s3.cc -@@ -189,6 +189,15 @@ int decode_attr_bl_single_value(map& attrs, const char *attr - return 0; - } - -+inline bool str_has_cntrl(const std::string s) { -+ return std::any_of(s.begin(), s.end(), ::iscntrl); -+} -+ -+inline bool str_has_cntrl(const char* s) { -+ std::string _s(s); -+ return str_has_cntrl(_s); -+} -+ - int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, - off_t bl_len) - { -@@ -303,6 +312,19 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, - if (s->auth.identity->is_anonymous()) { - return -ERR_INVALID_REQUEST; - } -+ /* HTTP specification says no control characters should be present in -+ * header values: https://tools.ietf.org/html/rfc7230#section-3.2 -+ * field-vchar = VCHAR / obs-text -+ * -+ * Failure to validate this permits a CRLF injection in HTTP headers, -+ * whereas S3 GetObject only permits specific headers. -+ */ -+ if(str_has_cntrl(val)) { -+ /* TODO: return a more distinct error in future; -+ * stating what the problem is */ -+ return -ERR_INVALID_REQUEST; -+ } -+ - if (strcmp(p->param, "response-content-type") != 0) { - response_attrs[p->http_attr] = val; - } else { --- -2.20.1 - diff --git a/recipes-extended/ceph/ceph/0001-rgw-reject-unauthenticated-response-header-actions.patch b/recipes-extended/ceph/ceph/0001-rgw-reject-unauthenticated-response-header-actions.patch deleted file mode 100644 index ae241473..00000000 --- a/recipes-extended/ceph/ceph/0001-rgw-reject-unauthenticated-response-header-actions.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 8f90658c731499722d5f4393c8ad70b971d05f77 Mon Sep 17 00:00:00 2001 -From: Matt Benjamin -Date: Fri, 27 Mar 2020 18:13:48 +0100 -Subject: [PATCH] rgw: reject unauthenticated response-header actions - -Signed-off-by: Matt Benjamin -Reviewed-by: Casey Bodley -(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400) - -CVE: CVE-2020-1760 -Upstream Status: Backport [8f90658c731499722d5f4393c8ad70b971d05f77] - -Signed-off-by: Sakib Sajal ---- - src/rgw/rgw_rest_s3.cc | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc -index 532d738b58..1bfc8312de 100644 ---- a/src/rgw/rgw_rest_s3.cc -+++ b/src/rgw/rgw_rest_s3.cc -@@ -298,6 +298,11 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, - bool exists; - string val = s->info.args.get(p->param, &exists); - if (exists) { -+ /* reject unauthenticated response header manipulation, see -+ * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */ -+ if (s->auth.identity->is_anonymous()) { -+ return -EPERM; -+ } - if (strcmp(p->param, "response-content-type") != 0) { - response_attrs[p->http_attr] = val; - } else { --- -2.20.1 - diff --git a/recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch b/recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch deleted file mode 100644 index 79f2174b..00000000 --- a/recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch +++ /dev/null @@ -1,95 +0,0 @@ -From ddbac9b2779172876ebd2d26b68b04b02350a125 Mon Sep 17 00:00:00 2001 -From: Josh Durgin -Date: Thu, 23 Apr 2020 00:22:10 -0400 -Subject: [PATCH 2/3] mon: enforce caps for pre-octopus client tell commands - -This affects only the commands whitelisted here - in particular -injectargs requires write access to the monitors. - -Signed-off-by: Josh Durgin - -Upstream-status: Backport -[https://github.com/ceph/ceph/commit/fc5e56b75a97c4652c87e9959aad1c4dec45010d] - -Signed-off-by: Liu Haitao ---- - src/mon/Monitor.cc | 56 +++++++++++++++++++++++----------------------- - 1 file changed, 28 insertions(+), 28 deletions(-) - -diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc -index b7cb3eae..eecd2f68 100644 ---- a/src/mon/Monitor.cc -+++ b/src/mon/Monitor.cc -@@ -3226,34 +3226,6 @@ void Monitor::handle_command(MonOpRequestRef op) - return; - } - -- // compat kludge for legacy clients trying to tell commands that are -- // new. see bottom of MonCommands.h. we need to handle both (1) -- // pre-octopus clients and (2) octopus clients with a mix of pre-octopus -- // and octopus mons. -- if ((!HAVE_FEATURE(m->get_connection()->get_features(), SERVER_OCTOPUS) || -- monmap->min_mon_release < ceph_release_t::octopus) && -- (prefix == "injectargs" || -- prefix == "smart" || -- prefix == "mon_status" || -- prefix == "heap")) { -- if (m->get_connection()->get_messenger() == 0) { -- // Prior to octopus, monitors might forward these messages -- // around. that was broken at baseline, and if we try to process -- // this message now, it will assert out when we try to send a -- // message in reply from the asok/tell worker (see -- // AnonConnection). Just reply with an error. -- dout(5) << __func__ << " failing forwarded command from a (presumably) " -- << "pre-octopus peer" << dendl; -- reply_command( -- op, -EBUSY, -- "failing forwarded tell command in mixed-version mon cluster", 0); -- return; -- } -- dout(5) << __func__ << " passing command to tell/asok" << dendl; -- cct->get_admin_socket()->queue_tell_command(m); -- return; -- } -- - string module; - string err; - -@@ -3368,6 +3340,34 @@ void Monitor::handle_command(MonOpRequestRef op) - << "entity='" << session->entity_name << "' " - << "cmd=" << m->cmd << ": dispatch"; - -+ // compat kludge for legacy clients trying to tell commands that are -+ // new. see bottom of MonCommands.h. we need to handle both (1) -+ // pre-octopus clients and (2) octopus clients with a mix of pre-octopus -+ // and octopus mons. -+ if ((!HAVE_FEATURE(m->get_connection()->get_features(), SERVER_OCTOPUS) || -+ monmap->min_mon_release < ceph_release_t::octopus) && -+ (prefix == "injectargs" || -+ prefix == "smart" || -+ prefix == "mon_status" || -+ prefix == "heap")) { -+ if (m->get_connection()->get_messenger() == 0) { -+ // Prior to octopus, monitors might forward these messages -+ // around. that was broken at baseline, and if we try to process -+ // this message now, it will assert out when we try to send a -+ // message in reply from the asok/tell worker (see -+ // AnonConnection). Just reply with an error. -+ dout(5) << __func__ << " failing forwarded command from a (presumably) " -+ << "pre-octopus peer" << dendl; -+ reply_command( -+ op, -EBUSY, -+ "failing forwarded tell command in mixed-version mon cluster", 0); -+ return; -+ } -+ dout(5) << __func__ << " passing command to tell/asok" << dendl; -+ cct->get_admin_socket()->queue_tell_command(m); -+ return; -+ } -+ - if (mon_cmd->is_mgr()) { - const auto& hdr = m->get_header(); - uint64_t size = hdr.front_len + hdr.middle_len + hdr.data_len; --- -2.25.1 - diff --git a/recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch b/recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch deleted file mode 100644 index ed2a63e7..00000000 --- a/recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 56800925651857821034ac9c8ec82d45635cc3b8 Mon Sep 17 00:00:00 2001 -From: Josh Durgin -Date: Wed, 13 May 2020 21:34:56 -0700 -Subject: [PATCH 3/3] PendingReleaseNotes: note about security fix - -Signed-off-by: Josh Durgin - -Upstream-status: Backport -[https://github.com/ceph/ceph/commit/06f239fc35f35865d2cf92dda1ac8f4d5fe82bde] - -Signed-off-by: Liu Haitao ---- - PendingReleaseNotes | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/PendingReleaseNotes b/PendingReleaseNotes -index c9fd4c79..6e07ce6d 100644 ---- a/PendingReleaseNotes -+++ b/PendingReleaseNotes -@@ -1,6 +1,8 @@ - >=15.0.0 - -------- - -+* CVE-2020-10736: Fixes an authorization bypass in monitor and manager daemons -+ - * The RGW "num_rados_handles" has been removed. - * If you were using a value of "num_rados_handles" greater than 1 - multiply your current "objecter_inflight_ops" and --- -2.25.1 - diff --git a/recipes-extended/ceph/ceph_15.2.0.bb b/recipes-extended/ceph/ceph_15.2.0.bb deleted file mode 100644 index 8454a200..00000000 --- a/recipes-extended/ceph/ceph_15.2.0.bb +++ /dev/null @@ -1,153 +0,0 @@ -SUMMARY = "User space components of the Ceph file system" -LICENSE = "LGPLv2.1 & GPLv2 & Apache-2.0 & MIT" -LIC_FILES_CHKSUM = "file://COPYING-LGPL2.1;md5=fbc093901857fcd118f065f900982c24 \ - file://COPYING-GPL2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://COPYING;md5=4eb012c221c5fd4b760029a2981a6754 \ -" -inherit cmake python3native python3-dir systemd -# Disable python pybind support for ceph temporary, when corss compiling pybind, -# pybind mix cmake and python setup environment, would case a lot of errors. - -SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \ - file://0001-ceph-fix-build-errors-for-cross-compile.patch \ - file://0001-fix-host-library-paths-were-used.patch \ - file://ceph.conf \ - file://0001-msg-async-ProtocolV2-avoid-AES-GCM-nonce-reuse-vulne.patch \ - file://0001-msg-async-crypto_onwire-fix-endianness-of-nonce_t.patch \ - file://0001-rgw-reject-unauthenticated-response-header-actions.patch \ - file://0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch \ - file://0001-rgw-reject-control-characters-in-response-header-act.patch \ - file://0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch \ - file://0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch \ - file://0003-PendingReleaseNotes-note-about-security-fix.patch \ - file://0001-add-missing-include-for-atomic-bool.patch \ - file://0001-cmake-add-support-for-python3.9.patch \ -" - -SRC_URI[md5sum] = "1f9af648b4c6d19975aab2583ab99710" -SRC_URI[sha256sum] = "4292c473d1714a6602c525d7582e4e03ec608f0a1cbc0dd338207e5c7068e0d3" -SRC_URI[sha1sum] = "7158806ece1483fcccdf1172c20cc34d9401c543" -SRC_URI[sha384sum] = "20e996dbf30d1e33a6d6aae36960190125ce263d306415bcec5d2b3032b8b8f730deeba3ca318576573127d08909404a" -SRC_URI[sha512sum] = "07a3ff2ccf1a3abac652ff8c5f1611e7c628fcedcb280adc6cd49792b46fa50c7c29437dc57c2c4a6af708a6833abf8c1a386ef2142d30bd5e1f214ba7aec4f2" - -DEPENDS = "boost bzip2 curl expat gperf-native \ - keyutils libaio libibverbs lz4 \ - nspr nss \ - oath openldap openssl \ - python3 python3-cython-native rabbitmq-c rocksdb snappy udev \ - valgrind xfsprogs zlib \ -" -SYSTEMD_SERVICE_${PN} = " \ - ceph-radosgw@.service \ - ceph-radosgw.target \ - ceph-mon@.service \ - ceph-mon.target \ - ceph-mds@.service \ - ceph-mds.target \ - ceph-osd@.service \ - ceph-osd.target \ - ceph.target \ - ceph-rbd-mirror@.service \ - ceph-rbd-mirror.target \ - ceph-volume@.service \ - ceph-mgr@.service \ - ceph-mgr.target \ - ceph-crash.service \ - rbdmap.service \ - ceph-immutable-object-cache@.service \ - ceph-immutable-object-cache.target \ -" -OECMAKE_GENERATOR = "Unix Makefiles" - -EXTRA_OECMAKE = "-DWITH_MANPAGE=OFF \ - -DWITH_FUSE=OFF \ - -DWITH_SPDK=OFF \ - -DWITH_LEVELDB=OFF \ - -DWITH_LTTNG=OFF \ - -DWITH_BABELTRACE=OFF \ - -DWITH_TESTS=OFF \ - -DWITH_MGR=OFF \ - -DWITH_MGR_DASHBOARD_FRONTEND=OFF \ - -DWITH_SYSTEM_BOOST=ON \ - -DWITH_SYSTEM_ROCKSDB=ON \ - -DWITH_RDMA=OFF \ - -DWITH_RADOSGW_AMQP_ENDPOINT=OFF \ - -DPYTHON_INSTALL_DIR=${PYTHON_SITEPACKAGES_DIR} -DPYTHON_DESIRED=3 \ - -DPython3_EXECUTABLE=${PYTHON} \ - -DWITH_RADOSGW_KAFKA_ENDPOINT=OFF \ - -DWITH_REENTRANT_STRSIGNAL=ON \ -" - -export STAGING_DIR_HOST - -do_configure_prepend () { - echo "set( CMAKE_SYSROOT \"${RECIPE_SYSROOT}\" )" >> ${WORKDIR}/toolchain.cmake - echo "set( CMAKE_DESTDIR \"${D}\" )" >> ${WORKDIR}/toolchain.cmake - echo "set( PYTHON_SITEPACKAGES_DIR \"${PYTHON_SITEPACKAGES_DIR}\" )" >> ${WORKDIR}/toolchain.cmake -} - -do_install_append () { - sed -i -e 's:^#!/usr/bin/python$:&3:' \ - -e 's:${WORKDIR}.*python3:${bindir}/python3:' \ - ${D}${bindir}/ceph ${D}${bindir}/ceph-crash \ - ${D}${bindir}/ceph-volume ${D}${bindir}/ceph-volume-systemd - find ${D} -name SOURCES.txt | xargs sed -i -e 's:${WORKDIR}::' - install -d ${D}${sysconfdir}/ceph - install -m 644 ${WORKDIR}/ceph.conf ${D}${sysconfdir}/ceph/ - install -d ${D}${systemd_unitdir} - mv ${D}${libexecdir}/systemd/system ${D}${systemd_unitdir} - mv ${D}${libexecdir}/ceph/ceph-osd-prestart.sh ${D}${libdir}/ceph - mv ${D}${libexecdir}/ceph/ceph_common.sh ${D}${libdir}/ceph - # WITH_FUSE is set to OFF, remove ceph-fuse related units - rm ${D}${systemd_unitdir}/system/ceph-fuse.target ${D}${systemd_unitdir}/system/ceph-fuse@.service -} - -do_install_append_class-target () { - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /var/lib/ceph/crash/posted 0755 root root - -" > ${D}${sysconfdir}/tmpfiles.d/ceph-placeholder.conf - fi - - if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/default/volatiles - echo "d root root 0755 /var/lib/ceph/crash/posted none" > ${D}${sysconfdir}/default/volatiles/99_ceph-placeholder - fi -} - -pkg_postinst_${PN}() { - if [ -z "$D" ] && [ -e ${sysconfdir}/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update - fi -} - -FILES_${PN} += "\ - ${libdir}/rados-classes/*.so.* \ - ${libdir}/ceph/compressor/*.so \ - ${libdir}/rados-classes/*.so \ - ${libdir}/ceph/*.so \ -" - -FILES_${PN} += " \ - /etc/tmpfiles.d/ceph-placeholder.conf \ - /etc/default/volatiles/99_ceph-placeholder \ -" - -FILES_${PN}-python = "\ - ${PYTHON_SITEPACKAGES_DIR}/* \ -" -RDEPENDS_${PN} += "\ - python3-core \ - python3-misc \ - python3-modules \ - python3-prettytable \ - ${PN}-python \ -" -COMPATIBLE_HOST = "(x86_64).*" -PACKAGES += " \ - ${PN}-python \ -" -INSANE_SKIP_${PN}-python += "ldflags" -INSANE_SKIP_${PN} += "dev-so" -CCACHE_DISABLE = "1" - -CVE_PRODUCT = "ceph ceph_storage ceph_storage_mon ceph_storage_osd" diff --git a/recipes-extended/ceph/ceph_15.2.8.bb b/recipes-extended/ceph/ceph_15.2.8.bb new file mode 100644 index 00000000..f771baa2 --- /dev/null +++ b/recipes-extended/ceph/ceph_15.2.8.bb @@ -0,0 +1,145 @@ +SUMMARY = "User space components of the Ceph file system" +LICENSE = "LGPLv2.1 & GPLv2 & Apache-2.0 & MIT" +LIC_FILES_CHKSUM = "file://COPYING-LGPL2.1;md5=fbc093901857fcd118f065f900982c24 \ + file://COPYING-GPL2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://COPYING;md5=4eb012c221c5fd4b760029a2981a6754 \ +" +inherit cmake python3native python3-dir systemd +# Disable python pybind support for ceph temporary, when corss compiling pybind, +# pybind mix cmake and python setup environment, would case a lot of errors. + +SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \ + file://0001-ceph-fix-build-errors-for-cross-compile.patch \ + file://0001-fix-host-library-paths-were-used.patch \ + file://ceph.conf \ + file://0001-add-missing-include-for-atomic-bool.patch \ + file://0001-cmake-add-support-for-python3.9.patch \ +" + +SRC_URI[md5sum] = "cab93dadfe38888561d390fd58b8c947" +SRC_URI[sha256sum] = "64c5eaf8c1e4092e59bc538e9241b6d5cf4ffca92563031abbea8b37b4cab9da" +SRC_URI[sha1sum] = "77b60c3775cd6e38f2d07870aee550368105c74b" +SRC_URI[sha384sum] = "2173c5176e9ff3745e4bc493585a8cf14e9e7737cf575551a010b7b84cd6b88b378dc93e6509b3a696732c51f530fa60" +SRC_URI[sha512sum] = "66c7322575165b4747955ac9de34f9f9e2d4361c8cd8498819383883045601b92f786c4336c79369d6f019db1c4524c492faa40cdceed7fc1b2b373ca6ab5065" + +DEPENDS = "boost bzip2 curl expat gperf-native \ + keyutils libaio libibverbs lz4 \ + nspr nss \ + oath openldap openssl \ + python3 python3-cython-native rabbitmq-c rocksdb snappy udev \ + valgrind xfsprogs zlib \ +" +SYSTEMD_SERVICE_${PN} = " \ + ceph-radosgw@.service \ + ceph-radosgw.target \ + ceph-mon@.service \ + ceph-mon.target \ + ceph-mds@.service \ + ceph-mds.target \ + ceph-osd@.service \ + ceph-osd.target \ + ceph.target \ + ceph-rbd-mirror@.service \ + ceph-rbd-mirror.target \ + ceph-volume@.service \ + ceph-mgr@.service \ + ceph-mgr.target \ + ceph-crash.service \ + rbdmap.service \ + ceph-immutable-object-cache@.service \ + ceph-immutable-object-cache.target \ +" +OECMAKE_GENERATOR = "Unix Makefiles" + +EXTRA_OECMAKE = "-DWITH_MANPAGE=OFF \ + -DWITH_FUSE=OFF \ + -DWITH_SPDK=OFF \ + -DWITH_LEVELDB=OFF \ + -DWITH_LTTNG=OFF \ + -DWITH_BABELTRACE=OFF \ + -DWITH_TESTS=OFF \ + -DWITH_MGR=OFF \ + -DWITH_MGR_DASHBOARD_FRONTEND=OFF \ + -DWITH_SYSTEM_BOOST=ON \ + -DWITH_SYSTEM_ROCKSDB=ON \ + -DWITH_RDMA=OFF \ + -DWITH_RADOSGW_AMQP_ENDPOINT=OFF \ + -DPYTHON_INSTALL_DIR=${PYTHON_SITEPACKAGES_DIR} -DPYTHON_DESIRED=3 \ + -DPython3_EXECUTABLE=${PYTHON} \ + -DWITH_RADOSGW_KAFKA_ENDPOINT=OFF \ + -DWITH_REENTRANT_STRSIGNAL=ON \ +" + +export STAGING_DIR_HOST + +do_configure_prepend () { + echo "set( CMAKE_SYSROOT \"${RECIPE_SYSROOT}\" )" >> ${WORKDIR}/toolchain.cmake + echo "set( CMAKE_DESTDIR \"${D}\" )" >> ${WORKDIR}/toolchain.cmake + echo "set( PYTHON_SITEPACKAGES_DIR \"${PYTHON_SITEPACKAGES_DIR}\" )" >> ${WORKDIR}/toolchain.cmake +} + +do_install_append () { + sed -i -e 's:^#!/usr/bin/python$:&3:' \ + -e 's:${WORKDIR}.*python3:${bindir}/python3:' \ + ${D}${bindir}/ceph ${D}${bindir}/ceph-crash \ + ${D}${bindir}/ceph-volume ${D}${bindir}/ceph-volume-systemd + find ${D} -name SOURCES.txt | xargs sed -i -e 's:${WORKDIR}::' + install -d ${D}${sysconfdir}/ceph + install -m 644 ${WORKDIR}/ceph.conf ${D}${sysconfdir}/ceph/ + install -d ${D}${systemd_unitdir} + mv ${D}${libexecdir}/systemd/system ${D}${systemd_unitdir} + mv ${D}${libexecdir}/ceph/ceph-osd-prestart.sh ${D}${libdir}/ceph + mv ${D}${libexecdir}/ceph/ceph_common.sh ${D}${libdir}/ceph + # WITH_FUSE is set to OFF, remove ceph-fuse related units + rm ${D}${systemd_unitdir}/system/ceph-fuse.target ${D}${systemd_unitdir}/system/ceph-fuse@.service +} + +do_install_append_class-target () { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/lib/ceph/crash/posted 0755 root root - -" > ${D}${sysconfdir}/tmpfiles.d/ceph-placeholder.conf + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/default/volatiles + echo "d root root 0755 /var/lib/ceph/crash/posted none" > ${D}${sysconfdir}/default/volatiles/99_ceph-placeholder + fi +} + +pkg_postinst_${PN}() { + if [ -z "$D" ] && [ -e ${sysconfdir}/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi +} + +FILES_${PN} += "\ + ${libdir}/rados-classes/*.so.* \ + ${libdir}/ceph/compressor/*.so \ + ${libdir}/rados-classes/*.so \ + ${libdir}/ceph/*.so \ +" + +FILES_${PN} += " \ + /etc/tmpfiles.d/ceph-placeholder.conf \ + /etc/default/volatiles/99_ceph-placeholder \ +" + +FILES_${PN}-python = "\ + ${PYTHON_SITEPACKAGES_DIR}/* \ +" +RDEPENDS_${PN} += "\ + python3-core \ + python3-misc \ + python3-modules \ + python3-prettytable \ + ${PN}-python \ +" +COMPATIBLE_HOST = "(x86_64).*" +PACKAGES += " \ + ${PN}-python \ +" +INSANE_SKIP_${PN}-python += "ldflags" +INSANE_SKIP_${PN} += "dev-so" +CCACHE_DISABLE = "1" + +CVE_PRODUCT = "ceph ceph_storage ceph_storage_mon ceph_storage_osd" -- cgit v1.2.3-54-g00ecf